CVE-2016-8734

MEDIUM

Description

Apache Subversion's mod_dontdothat module and HTTP clients 1.4.0 through 1.8.16, and 1.9.0 through 1.9.4 are vulnerable to a denial-of-service attack caused by exponential XML entity expansion. The attack can cause the targeted process to consume an excessive amount of CPU resources or memory.

References

http://www.debian.org/security/2017/dsa-3932

http://www.securityfocus.com/bid/94588

http://www.securitytracker.com/id/1037361

https://lists.apache.org/thread.html/[email protected]%3Cannounce.apache.org%3E

https://subversion.apache.org/security/CVE-2016-8734-advisory.txt

https://www.oracle.com/security-alerts/cpuoct2020.html

Details

Source: MITRE

Published: 2017-10-16

Updated: 2020-10-20

Type: CWE-400

Risk Information

CVSS v2.0

Base Score: 4

Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 8

Severity: MEDIUM

CVSS v3.0

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Impact Score: 3.6

Exploitability Score: 2.8

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:apache:subversion:1.4.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.4.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.4.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.4.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.4.4:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.4.5:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.4.6:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.5.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.5.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.5.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.5.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.5.4:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.5.5:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.5.6:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.5.7:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.5.8:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.4:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.5:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.6:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.7:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.8:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.9:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.10:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.11:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.12:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.13:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.14:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.15:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.16:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.17:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.18:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.19:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.20:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.21:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.6.23:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.7.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.7.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.7.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.7.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.7.4:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.7.5:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.7.6:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.7.7:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.7.8:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.7.9:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.7.10:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.7.11:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.7.12:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.7.13:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.7.14:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.7.15:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.7.16:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.7.17:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.7.18:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.7.19:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.7.20:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.8.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.8.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.8.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.8.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.8.4:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.8.5:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.8.6:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.8.7:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.8.8:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.8.9:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.8.10:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.8.11:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.8.12:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.8.13:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.8.14:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.8.15:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.8.16:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.9.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.9.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.9.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.9.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:subversion:1.9.4:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Tenable Plugins

View all (12 total)

IDNameProductFamilySeverity
132204EulerOS 2.0 SP3 : subversion (EulerOS-SA-2019-2669)NessusHuawei Local Security Checks
high
131824EulerOS 2.0 SP5 : subversion (EulerOS-SA-2019-2550)NessusHuawei Local Security Checks
high
131657EulerOS 2.0 SP2 : subversion (EulerOS-SA-2019-2504)NessusHuawei Local Security Checks
high
121782Photon OS 1.0: Subversion PHSA-2017-1.0-0093NessusPhotonOS Local Security Checks
high
111903Photon OS 1.0: Apr / Krb5 / Linux / Ncurses / Subversion PHSA-2017-1.0-0093 (deprecated)NessusPhotonOS Local Security Checks
high
102424Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : subversion vulnerabilities (USN-3388-1)NessusUbuntu Local Security Checks
high
102372Debian DSA-3932-1 : subversion - security updateNessusDebian Local Security Checks
high
97024Amazon Linux AMI : subversion / mod_dav_svn (ALAS-2017-794)NessusAmazon Linux Local Security Checks
medium
9907Apache Subversion 1.8.x < 1.8.17 / 1.9.x < 1.9.5 DoSNessus Network MonitorWeb Servers
medium
96360Fedora 25 : subversion (2017-c629f16f6c)NessusFedora Local Security Checks
medium
95707openSUSE Security Update : subversion (openSUSE-2016-1435)NessusSuSE Local Security Checks
medium
95409FreeBSD : subversion -- Unrestricted XML entity expansion in mod_dontdothat and Subversionclients using http(s) (ac256985-b6a9-11e6-a3bf-206a8a720317)NessusFreeBSD Local Security Checks
medium