CVE-2014-8108

Impact:
Moderate
Public Date:
2014-12-15
CWE:
CWE-476
Bugzilla:
1174057: CVE-2014-8108 subversion: NULL pointer dereference flaw in mod_dav_svn when handling URIs for virtual transaction names
A NULL pointer dereference flaw was found in the way the mod_dav_svn module handled certain requests for URIs that trigger a lookup of a virtual transaction name. A remote, unauthenticated attacker could send a request for a virtual transaction name that does not exist, causing mod_dav_svn to crash.

Find out more about CVE-2014-8108 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This issue did not affect the versions of subversion as shipped with Red Hat Enterprise Linux 5 and 6.

CVSS v2 metrics

Base Score 4.3
Base Metrics AV:N/AC:M/Au:N/C:N/I:N/A:P
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux 7 (subversion) RHSA-2015:0166 2015-02-10

Affected Packages State

Platform Package State
Red Hat Enterprise Linux 6 subversion Not affected
Red Hat Enterprise Linux 5 subversion Not affected
Unless explicitly stated as not affected, all previous versions of packages in any minor update stream of a product listed here should be assumed vulnerable, although may not have been subject to full analysis.

Acknowledgements

Red Hat would like to thank the Subversion project for reporting this issue. Upstream acknowledges Evgeny Kotkov of VisualSVN as the original reporter.

External References

Last Modified