Main Vulnerability Database SB2016060206

SB2016060206 - Improper access control in subversion (Alpine package)

Published: June 2, 2016

Security Bulletin ID SB2016060206

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper access control (CVE-ID: CVE-2016-2167)

The vulnerability allows a remote authenticated user to read and manipulate data.

The canonicalize_username function in svnserve/cyrus_auth.c in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4, when Cyrus SASL authentication is used, allows remote attackers to authenticate and bypass intended access restrictions via a realm string that is a prefix of an expected repository realm string.

Remediation

Install update from vendor's website.

References

https://git.alpinelinux.org/aports/commit/?id=fe1d1a2fab1c84836f19bfa20a7e548b8a6ac9dd
https://git.alpinelinux.org/aports/commit/?id=0d0b6cb451564d086ca34469198bd646490a1f51
https://git.alpinelinux.org/aports/commit/?id=bb0c450ee6bb7a95291723179e07be9cab71246d