{ "threat_severity" : "Moderate", "public_date" : "2015-08-05T00:00:00Z", "bugzilla" : { "description" : "subversion: Mixed anonymous/authenticated path-based authz with httpd 2.4", "id" : "1247249", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1247249" }, "cvss" : { "cvss_base_score" : "4.3", "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-285", "details" : [ "mod_authz_svn in Apache Subversion 1.7.x before 1.7.21 and 1.8.x before 1.8.14, when using Apache httpd 2.4.x, does not properly restrict anonymous access, which allows remote anonymous users to read hidden files via the path name.", "It was found that the mod_authz_svn module did not properly restrict anonymous access to Subversion repositories under certain configurations when used with Apache httpd 2.4.x. This could allow a user to anonymously access files in a Subversion repository, which should only be accessible to authenticated users." ], "statement" : "This issue did not affect versions of subversion as shipped with Red Hat Enterprise Linux 5 and 6.", "acknowledgement" : "Red Hat would like to thank Apache Software Foundation for reporting this issue.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2015-09-08T00:00:00Z", "advisory" : "RHSA-2015:1742", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "subversion-0:1.7.14-7.el7_1.1" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Not affected", "package_name" : "subversion", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "subversion", "cpe" : "cpe:/o:redhat:enterprise_linux:6" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2015-3184\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-3184\nhttp://subversion.apache.org/security/CVE-2015-3184-advisory.txt" ], "name" : "CVE-2015-3184", "csaw" : false }