CVE-2024-46901

Description

Insufficient validation of filenames against control characters in Apache Subversion repositories served via mod_dav_svn allows authenticated users with commit access to commit a corrupted revision, leading to disruption for users of the repository. All versions of Subversion up to and including Subversion 1.14.4 are affected if serving repositories via mod_dav_svn. Users are recommended to upgrade to version 1.14.5, which fixes this issue. Repositories served via other access methods are not affected.

How to fix CVE-2024-46901

To remediate CVE-2024-46901, upgrade the affected package to a fixed version below.

• —upgrade to 1.14.5-r0 or later
• —upgrade to 1.14.5 or later
• —upgrade to 1.14.1-3+deb11u2 or later
• —upgrade to 1.14.1-3+deb11u2 or later

Is CVE-2024-46901 being exploited?

Moderate — EPSS is 5.8%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (4)

• from 0, < 1.14.5-r0
• from 0, < 1.14.5
• from 0, < 1.14.1-3+deb11u2
• from 0, < 1.14.1-3+deb11u2

CVSS scores

References (5)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2024-46901
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-46901
• WEBlists.debian.org/debian-lts-announce/2025/04/msg00023.html
• WEBnvd.nist.gov/vuln/detail/CVE-2024-46901