{
  "threat_severity" : "Low",
  "public_date" : "2013-12-13T00:00:00Z",
  "bugzilla" : {
    "description" : "subversion: credentials leak via MD5 collision",
    "id" : "1125799",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1125799"
  },
  "cvss" : {
    "cvss_base_score" : "2.6",
    "cvss_scoring_vector" : "AV:N/AC:H/Au:N/C:P/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-327->CWE-201",
  "details" : [ "Apache Subversion 1.0.0 through 1.7.x before 1.7.17 and 1.8.x before 1.8.10 uses an MD5 hash of the URL and authentication realm to store cached credentials, which makes it easier for remote servers to obtain the credentials via a crafted authentication realm.", "It was discovered that Subversion clients retrieved cached authentication credentials using the MD5 hash of the server realm string without also checking the server's URL. A malicious server able to provide a realm that triggers an MD5 collision could possibly use this flaw to obtain the credentials for a different realm." ],
  "statement" : "Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2015-02-10T00:00:00Z",
    "advisory" : "RHSA-2015:0165",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "subversion-0:1.6.11-12.el6_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2015-02-10T00:00:00Z",
    "advisory" : "RHSA-2015:0166",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "subversion-0:1.7.14-7.el7_0"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Will not fix",
    "package_name" : "subversion",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2014-3528\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-3528\nhttp://subversion.apache.org/security/CVE-2014-3528-advisory.txt" ],
  "name" : "CVE-2014-3528",
  "csaw" : false
}