Allele Security Alert
ASA-2019-00031
Identifier(s)
ASA-2019-00031, CVE-2018-11803
Title
Malicious SVN clients can crash mod_dav_svn
Vendor(s)
Apache Software Foundation
Product(s)
Apache Subversion
Affected version(s)
Apache Subversion versions 1.10.0 up to and including 1.10.3
Apache Subversion version 1.11.0
Fixed version(s)
Apache Subversion version 1.10.4
Apache Subversion version 1.11.1
Proof of concept
Unknown
Description
Subversion 1.10.0 introduced server-side support for recursive directory listing operations. The implementation in mod_dav_svn failed to validate the root path of the directory listing provided by the client. If the client omits the root path, mod_dav_svn will deference an uninitialized pointer variable and crash the HTTPD worker process handling the request.
Technical details
Unknown
Credits
Ivan Zhakov
Reference(s)
Malicious SVN clients can crash mod_dav_svn.
https://subversion.apache.org/security/CVE-2018-11803-advisory.txt
[CVE-2018-11803] Apache Subversion Denial of Service Vulnerability
https://seclists.org/oss-sec/2019/q1/83
CVE-2018-11803
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11803
CVE-2018-11803
https://nvd.nist.gov/vuln/detail/CVE-2018-11803
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 2, 2019