Apache Subversion Security

The Apache Software Foundation provides a framework and team of folks for handling reports of security vulnerabilities. If you discover a security vulnerability in Apache Subversion, please follow the instructions found here:

https://www.apache.org/security/

To learn more about how the Subversion development team treats discovered and reported security vulnerabilities, please visit the Security section of the Community Guide.

Previous Security Advisories

The following are a list of past security advisories issued by the Subversion project.

Document Affected Version(s) Description
svn-sscanf-advisory.txt 1.0.0-1.0.2 Date parser buffer overflow.
CAN-2004-0413-advisory.txt 1.0.0-1.0.4 Denial of Service and Heap Overflow issue related to string parsing in svnserve
mod_authz_svn-copy-advisory.txt 1.0.0-1.0.5 mod_authz_svn exposure of unreadable paths via deep copy to readable location.
CAN-2004-0749-advisory.txt 1.0.0-1.0.7, 1.1.0-rcX Revision metadata leakage in mod_dav_svn.
CVE-2007-2448-advisory.txt 1.0.1-1.4.3 Revision metadata leakage via 'svn prop*' commands.
CVE-2007-3846-advisory.txt 1.0.0-1.4.4 Remote file delivery and installation via path mis-handling.
CVE-2009-2411-advisory.txt 1.0.0-1.6.3 Heap Overflow in binary delta parser.
CVE-2010-3315-advisory.txt 1.5.0-1.5.7, 1.6.0-1.6.12 mod_dav_svn exposure of unreadable paths when SVNPathAuthz "short_circuit" is employed.
CVE-2010-4539 1.0.0-1.5.8, 1.6.0-1.6.13 mod_dav_svn potential crash when using SVNParentPath
CVE-2010-4644 1.5.0-1.5.8, 1.6.0-1.6.13 Server out-of-memory error caused by 'blame -g'
CVE-2011-0715-advisory.txt 1.2.0-1.5.9, 1.6.0-1.6.15 Server NULL-pointer dereference
CVE-2011-1752-advisory.txt 1.0.0-1.6.16 Server NULL-pointer dereference
CVE-2011-1783-advisory.txt 1.5.0-1.6.16 Server memory exhaustion
CVE-2011-1921-advisory.txt 1.5.0-1.6.16 mod_dav_svn exposure of unreadable paths
CVE-2013-1845-advisory.txt 1.0.0-1.6.20 and 1.7.0-1.7.8 mod_dav_svn excessive memory usage from property changes
CVE-2013-1846-advisory.txt 1.0.0-1.6.20 and 1.7.0-1.7.8 mod_dav_svn crashes on LOCK requests against activity URLs
CVE-2013-1847-advisory.txt 1.6.0-1.6.20 and 1.7.0-1.7.8 mod_dav_svn crashes on LOCK requests against non-existant URLs
CVE-2013-1849-advisory.txt 1.0.0-1.6.20 and 1.7.0-1.7.8 mod_dav_svn crashes on PROPFIND requests against activity URLs
CVE-2013-1884-advisory.txt 1.7.0-1.7.8 mod_dav_svn crashes on out of range limit in log REPORT request
CVE-2013-1968-advisory.txt 1.1.0-1.6.23 and 1.7.0-1.7.9 fsfs repositories can be corrupted by newline characters in filenames
CVE-2013-2088-advisory.txt 1.2.0-1.6.23 (see advisory) contrib hook-scripts can allow arbitrary code execution
CVE-2013-2112-advisory.txt 1.0.0-1.6.21 and 1.7.0-1.7.9 svnserve remotely triggerable DoS
CVE-2013-4131-advisory.txt 1.6.0-1.7.10 and 1.8.0 mod_dav_svn assertion from requests against root path
CVE-2013-4246-advisory.txt 1.8.0 - 1.8.1 fsfs: corruption from editing packed revision properties
CVE-2013-4262-advisory.txt 1.8.0 - 1.8.2 admin-side tools: symlink attack against pid file
CVE-2013-4277-advisory.txt 1.4.0-1.7.12 and 1.8.0-1.8.2 svnserve: symlink attack against pid file
CVE-2013-4505-advisory.txt 1.4.0-1.7.13 and 1.8.0-1.8.4 mod_dontdothat does not restrict requests from serf based clients
CVE-2013-4558-advisory.txt 1.7.11-1.7.13 and 1.8.1-1.8.4 mod_dav_svn assertion triggered by non-canonical URLs in autoversioning commits
CVE-2014-0032-advisory.txt 1.3.0-1.7.14 and 1.8.0-1.8.5 mod_dav_svn DoS vulnerability with SVNListParentPath
CVE-2014-3522-advisory.txt 1.4.0-1.7.17 and 1.8.0-1.8.9 ra_serf improper validation of wildcards in SSL certs
CVE-2014-3528-advisory.txt 1.0.0-1.7.17 and 1.8.0-1.8.9 credentials cached with svn may be sent to wrong server
CVE-2014-3580-advisory.txt 1.0.0-1.7.18 and 1.8.0-1.8.10 mod_dav_svn DoS vulnerability with invalid REPORT requests
CVE-2014-8108-advisory.txt 1.7.0-1.7.18 and 1.8.0-1.8.10 mod_dav_svn DoS vulnerability with invalid virtual transaction names
CVE-2015-0202-advisory.txt 1.8.0-1.8.11 Subversion HTTP servers with FSFS repositories are vulnerable to a remotely triggerable excessive memory use with certain REPORT requests
CVE-2015-0248-advisory.txt 1.6.0-1.7.19 and 1.8.0-1.8.11 Subversion mod_dav_svn and svnserve are vulnerable to a remotely triggerable assertion DoS vulnerability for certain requests with dynamically evaluated revision numbers
CVE-2015-0251-advisory.txt 1.5.0-1.7.19 and 1.8.0-1.8.11 Subversion HTTP servers allow spoofing svn:author property values for new revisions
CVE-2015-3184-advisory.txt 1.7.0-1.7.20 and 1.8.0-1.8.13 Subversion's mod_authz_svn does not properly restrict anonymous access in some mixed anonymous/authenticated environments when using Apache httpd 2.4.
CVE-2015-3187-advisory.txt 1.7.0-1.7.20 and 1.8.0-1.8.13 Subversion servers, both httpd and svnserve, will reveal some paths that should be hidden by path-based authz.
CVE-2015-5259-advisory.txt 1.9.0-1.9.2 Remotely triggerable heap overflow and out-of-bounds read caused by integer overflow in the svn:// protocol parser.
CVE-2016-2167-advisory.txt 1.5.0-1.8.15 and 1.9.0-1.9.3 svnserve/sasl may authenticate users using the wrong realm.
CVE-2016-2168-advisory.txt 1.0.0-1.8.15 and 1.9.0-1.9.3 Remotely triggerable DoS vulnerability in mod_authz_svn during COPY/MOVE authorization check.
CVE-2016-8734-advisory.txt [PGP] 1.4.0-1.8.16 and 1.9.0-1.9.4 Unrestricted XML entity expansion in mod_dontdothat and Subversion clients using http(s)://
sha1-advisory.txt 1.1.0-1.8.17 and 1.9.0-1.9.5 Apache Subversion is unable to store SHA1 collisions.
CVE-2017-9800-advisory.txt [PGP] 1.0.0-1.8.18 and 1.9.0-1.9.6 and 1.10.0-alpha1-1.10.0-alpha3 Arbitrary code execution on clients through malicious svn+ssh URLs in svn:externals and svn:sync-from-url
CVE-2018-11803-advisory.txt [PGP] 1.10.0-1.10.3 and 1.11.0 Subversion's mod_dav_svn Apache HTTPD module will crash after dereferencing an uninitialized pointer if the client omits the root path in a recursive directory listing operation.
CVE-2018-11782-advisory.txt [PGP] 1.9.0-1.9.10, 1.10.0-1.10.4, 1.11.0-1.11.1, 1.12.0 Remotely triggerable DoS vulnerability in svnserve 'get-deleted-rev'.
CVE-2019-0203-advisory.txt [PGP] 1.9.0-1.9.10, 1.10.0-1.10.4, 1.11.0-1.11.1, 1.12.0 Remote unauthenticated denial-of-service in Subversion svnserve.
CVE-2020-17525-advisory.txt [PGP] 1.9.0-1.9.10, 1.10.0-1.10.6, 1.11.0-1.11.1, 1.12.0-1.12.2, 1.13.0, 1.14.0 Remote unauthenticated denial-of-service in mod_authz_svn.
CVE-2021-28544-advisory.txt [PGP] 1.10.0-1.10.7, 1.14.0-1.14.1 SVN authz protected copyfrom paths regression
CVE-2022-24070-advisory.txt [PGP] 1.10.0-1.10.7, 1.14.0-1.14.1 mod_dav_svn is vulnerable to memory corruption
CVE-2024-45720-advisory.txt [PGP] 1.0.0-1.10.8, 1.14.0-1.14.3 Subversion command line argument injection on Windows platforms
CVE-2024-46901-advisory.txt [PGP] 1.0.0-1.14.4 mod_dav_svn denial-of-service via control characters in paths