CVE-2020-17525

Description

Subversion's mod_authz_svn module will crash if the server is using in-repository authz rules with the AuthzSVNReposRelativeAccessFile option and a client sends a request for a non-existing repository URL. This can lead to disruption for users of the service. This issue was fixed in mod_dav_svn+mod_authz_svn servers 1.14.1 and mod_dav_svn+mod_authz_svn servers 1.10.7

How to fix CVE-2020-17525

To remediate CVE-2020-17525, upgrade the affected package to a fixed version below.

• —upgrade to 1.12.2-r1 or later
• —upgrade to 1.10.7 or later
• —upgrade to 1.14.1-1 or later
• —upgrade to 1.9.5-1+deb9u6 or later
• —upgrade to 1.10.4-1+deb10u2 or later

Is CVE-2020-17525 being exploited?

Moderate — EPSS is 14.8%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (5)

• from 0, < 1.12.2-r1
• >= 1.9.0, < 1.10.7, >= 1.11.0, < 1.14.1
• from 0, < 1.14.1-1
• from 0, < 1.9.5-1+deb9u6
• from 0, < 1.10.4-1+deb10u2

CVSS scores

References (5)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2020-17525
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-17525
• WEBlists.debian.org/debian-lts-announce/2021/05/msg00000.html
• WEBnvd.nist.gov/vuln/detail/CVE-2020-17525