CVE-2022-24070

moderate-risk

Published 2022-04-12

Subversion's mod_dav_svn is vulnerable to memory corruption. While looking up path-based authorization rules, mod_dav_svn servers may attempt to use memory which has already been freed. Affected Subversion mod_dav_svn servers 1.10.0 through 1.14.1 (inclusive). Servers that do not use mod_dav_svn are not affected.

Do I need to act?

0.99% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (6)

Subversion

Debian Linux

Fedora

Macos

Affected Vendors

Debian Apache Apple Fedoraproject

References (16)

Mailing List http://seclists.org/fulldisclosure/2022/Jul/18

Issue Tracking https://bz.apache.org/bugzilla/show_bug.cgi?id=65861

Vendor Advisory https://cwiki.apache.org/confluence/display/HTTPD/ModuleLife

Issue Tracking https://issues.apache.org/jira/browse/SVN-4880

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

Third Party Advisory https://support.apple.com/kb/HT213345

Third Party Advisory https://www.debian.org/security/2022/dsa-5119

Mailing List http://seclists.org/fulldisclosure/2022/Jul/18

Issue Tracking https://bz.apache.org/bugzilla/show_bug.cgi?id=65861

Vendor Advisory https://cwiki.apache.org/confluence/display/HTTPD/ModuleLife

Issue Tracking https://issues.apache.org/jira/browse/SVN-4880

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

Third Party Advisory https://support.apple.com/kb/HT213345

Third Party Advisory https://www.debian.org/security/2022/dsa-5119

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 3/34 · Minimal

Exposure 13/34 · Low