CVE-2024-46901

Insufficient validation of filenames against control characters in Apache Subversion repositories served via mod_dav_svn allows authenticated users with commit access to commit a corrupted revision, leading to disruption for users of the repository. All versions of Subversion up to and including Subversion 1.14.4 are affected if serving repositories via mod_dav_svn. Users are recommended to upgrade to version 1.14.5, which fixes this issue. Repositories served via other access methods are not affected.

CVSS v3 3.1 LOW

3.1^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.6 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://subversion.apache.org/security/CVE-2024-46901-advisory.txt	Exploit Vendor Advisory
https://lists.debian.org/debian-lts-announce/2025/04/msg00023.html	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:subversion:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

History

15 Jul 2025, 16:35

Type	Values Removed	Values Added
First Time		Apache Debian Debian debian Linux Apache subversion
CPE		cpe:2.3:a:apache:subversion:::::::: cpe:2.3:o:debian:debian_linux:11.0:::::::*
References	~~() https://subversion.apache.org/security/CVE-2024-46901-advisory.txt -~~	() https://subversion.apache.org/security/CVE-2024-46901-advisory.txt - Exploit, Vendor Advisory
References	~~() https://lists.debian.org/debian-lts-announce/2025/04/msg00023.html -~~	() https://lists.debian.org/debian-lts-announce/2025/04/msg00023.html - Mailing List, Third Party Advisory

13 Apr 2025, 21:15

Type	Values Removed	Values Added
References		() https://lists.debian.org/debian-lts-announce/2025/04/msg00023.html -

09 Dec 2024, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-12-09 10:15

Updated : 2025-07-15 16:35

NVD link : CVE-2024-46901

Mitre link : CVE-2024-46901

CVE.ORG link : CVE-2024-46901

JSON object : View

Products Affected

debian

debian_linux

apache

subversion

CWE

CWE-20

Improper Input Validation

CWE-116

Improper Encoding or Escaping of Output

{"id": "CVE-2024-46901", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@apache.org", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.6}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2024-12-09T10:15:05.230", "references": [{"url": "https://subversion.apache.org/security/CVE-2024-46901-advisory.txt", "tags": ["Exploit", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00023.html", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-116"}]}], "descriptions": [{"lang": "en", "value": "Insufficient validation of filenames against control characters in Apache Subversion repositories served via mod_dav_svn allows authenticated users with commit access to commit a corrupted revision, leading to disruption for users of the repository.\n\nAll versions of Subversion up to and including Subversion 1.14.4 are affected if serving repositories via mod_dav_svn. Users are recommended to upgrade to version 1.14.5, which fixes this issue.\n\nRepositories served via other access methods are not affected."}, {"lang": "es", "value": "La validaci\u00f3n insuficiente de los nombres de archivo con respecto a los caracteres de control en Apache Subversion repositories que se sirven a trav\u00e9s de mod_dav_svn permite que los usuarios autenticados con acceso de confirmaci\u00f3n confirmen una revisi\u00f3n da\u00f1ada, lo que genera interrupciones para los usuarios del repositorio. Todas las versiones de Subversion hasta Subversion 1.14.4 incluida se ven afectadas si se sirven repositorios a trav\u00e9s de mod_dav_svn. Se recomienda a los usuarios que actualicen a la versi\u00f3n 1.14.5, que soluciona este problema. Los repositorios que se sirven a trav\u00e9s de otros m\u00e9todos de acceso no se ven afectados."}], "lastModified": "2025-07-15T16:35:39.093", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:subversion:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D0044D4E-5597-4E3C-B300-B0D36A707F58", "versionEndExcluding": "1.14.5"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}