Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 2 |
CVE-ID | CVE-2012-3356 CVE-2012-3357 |
CWE-ID | CWE-287 CWE-200 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
ViewVC Web applications / Modules and components for CMS |
Vendor | ViewVC |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
EUVDB-ID: #VU43806
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2012-3356
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
The remote SVN views functionality (lib/vclib/svn/svn_ra.py) in ViewVC before 1.1.15 does not properly perform authorization, which allows remote attackers to bypass intended access restrictions via unspecified vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsViewVC: 0.8 - 1.1.13
External linkshttp://osvdb.org/83225
http://viewvc.tigris.org/issues/show_bug.cgi?id=353
http://viewvc.tigris.org/source/browse/*checkout*/viewvc/tags/1.1.15/CHANGES
http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2755
http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2756
http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2757
http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2759
http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2760
http://www.debian.org/security/2012/dsa-2563
http://www.mandriva.com/security/advisories?name=MDVSA-2013:134
http://www.openwall.com/lists/oss-security/2012/06/25/8
http://www.securityfocus.com/bid/54197
http://exchange.xforce.ibmcloud.com/vulnerabilities/76614
http://lwn.net/Articles/505096/
http://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0175
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU43807
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2012-3357
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The SVN revision view (lib/vclib/svn/svn_repos.py) in ViewVC before 1.1.15 does not properly handle log messages when a readable path is copied from an unreadable path, which allows remote attackers to obtain sensitive information, related to a "log msg leak."
MitigationInstall update from vendor's website.
Vulnerable software versionsViewVC: 0.8 - 1.1.13
External linkshttp://osvdb.org/83227
http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2758
http://www.debian.org/security/2012/dsa-2563
http://www.mandriva.com/security/advisories?name=MDVSA-2013:134
http://www.openwall.com/lists/oss-security/2012/06/25/8
http://www.securityfocus.com/bid/54199
http://exchange.xforce.ibmcloud.com/vulnerabilities/76615
http://lwn.net/Articles/505096/
http://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0175
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.