|Description||The mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion 1.5.x and 1.6.x before 1.6.17, when the SVNPathAuthz short_circuit option is disabled, does not properly enforce permissions for files that had been publicly readable in the past, which allows remote attackers to obtain sensitive information via a replay REPORT operation.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)|
Vulnerable and fixed packages
The table below lists information on source packages.
|subversion (PTS)||buster, buster (security)||1.10.4-1+deb10u3||fixed|
|bullseye (security), bullseye||1.14.1-3+deb11u1||fixed|
|sid, trixie, bookworm||1.14.2-4||fixed|
The information below is based on the following data on fixed versions.