CVE-2021-28544 Overview
Apache Subversion servers contain a path-based authorization (authz) bypass vulnerability that exposes protected 'copyfrom' paths to unauthorized users. When a node has been copied from a protected location, users with access to the copy can see the 'copyfrom' path of the original, effectively revealing the existence and location of protected resources. This vulnerability affects both httpd and svnserve servers, potentially compromising the confidentiality of repository structure and revealing internal organizational information that should remain hidden.
Critical Impact
Authenticated users can discover protected repository paths and their structure, potentially exposing sensitive project names, internal codenames, or confidential directory structures that were intended to remain hidden through authz rules.
Affected Products
- Apache Subversion (all affected versions)
- Debian Linux 10.0 and 11.0
- Fedora 35 and 36
- Apple macOS (bundled Subversion)
Discovery Timeline
- 2022-04-12 - CVE CVE-2021-28544 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-28544
Vulnerability Analysis
This vulnerability represents an Information Disclosure flaw (CWE-200) in Apache Subversion's path-based authorization implementation. The root issue lies in how Subversion handles metadata exposure when repository nodes are copied from protected locations to accessible areas.
When an administrator configures authz rules to restrict access to certain paths within a Subversion repository, the expectation is that unauthorized users cannot obtain any information about those protected paths. However, due to this regression, when a node is copied from a protected path to an accessible location, the 'copyfrom' metadata—which indicates where the copy originated—is not properly filtered based on the viewer's authorization level.
This allows any authenticated user with read access to the destination path to discover the existence of protected source paths, effectively bypassing the intended confidentiality controls. While the actual contents of the protected paths remain inaccessible, the path names themselves can reveal sensitive information about internal projects, organizational structure, or security-sensitive components.
Root Cause
The vulnerability stems from improper access control validation during the retrieval of copy history metadata. When Subversion processes requests for repository information, it fails to apply authz rules to the 'copyfrom' path information associated with copied nodes. The authorization check properly restricts access to the content of protected paths but does not extend this protection to the metadata that reveals the path's existence.
This regression affects the server-side components responsible for filtering repository information based on configured authz rules, impacting both the Apache HTTP Server module (mod_dav_svn) and the standalone svnserve daemon.
Attack Vector
The attack can be executed remotely over the network by any authenticated user with legitimate read access to at least some portion of the repository. The exploitation flow involves:
- An attacker authenticates to the Subversion server with valid credentials
- The attacker queries repository history or metadata for paths they have read access to
- When examining nodes that were copied from protected locations, the 'copyfrom' path is revealed
- The attacker extracts information about protected paths, learning their names and existence
This requires no special tools beyond standard Subversion client utilities. The attacker can use commands such as svn log --verbose or svn info to discover the copyfrom paths associated with copied nodes.
Detection Methods for CVE-2021-28544
Indicators of Compromise
- Unusual volume of svn log or svn info requests targeting recently copied paths
- Repeated queries from authenticated users examining copy history metadata across multiple repository areas
- Access log entries showing systematic enumeration of repository structure by users with limited permissions
Detection Strategies
- Monitor Subversion access logs for patterns of metadata queries targeting copied nodes
- Implement audit logging to track when copyfrom information is requested and by whom
- Review authentication logs for accounts querying paths outside their normal working directories
- Analyze query patterns to identify reconnaissance behavior targeting repository structure
Monitoring Recommendations
- Enable verbose logging on both mod_dav_svn and svnserve to capture detailed request information
- Implement alerting for high-frequency metadata queries from single user accounts
- Regularly audit repository access patterns against expected user behavior
- Consider deploying network-level monitoring to detect unusual Subversion protocol activity
How to Mitigate CVE-2021-28544
Immediate Actions Required
- Update Apache Subversion to the latest patched version immediately
- Review repository structure to identify any copies made from protected paths to public areas
- Audit current authz configurations to understand what paths may have been exposed
- Consider temporarily restricting repository access while patches are applied
Patch Information
Apache has released security updates to address this vulnerability. Administrators should upgrade to the patched versions as outlined in the Apache Subversion CVE Advisory. Additional security updates are available from distribution maintainers:
- Debian users should apply the fixes from DSA-5119
- Fedora users should install the updated packages per the Fedora Package Announcement
- Apple macOS users should review Apple Security Knowledge Base HT213345
Workarounds
- Review and minimize the use of copy operations from protected paths to publicly accessible areas
- Consider restructuring repositories to avoid scenarios where copies originate from protected locations
- Implement additional network-level access controls to limit which users can connect to Subversion servers
- Evaluate whether path-based authorization alone provides sufficient protection for highly sensitive content, and consider repository separation for truly confidential data
# Verify current Subversion version
svn --version
# Check svnserve version on server
svnserve --version
# Review Apache Subversion module version
apachectl -M | grep svn
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
