Alpine: mod_dav_svn, multiple subversion packages, perl-subversion: security update to 1.14.2-r0

medium Tenable Cloud Security Plugin ID 424544

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Apache Subversion SVN authz protected copyfrom paths regression Subversion servers reveal 'copyfrom' paths
that should be hidden according to configured path-based authorization (authz) rules. When a node has been
copied from a protected location, users with access to the copy can see the 'copyfrom' path of the
original. This also reveals the fact that the node was copied. Only the 'copyfrom' path is revealed; not
its contents. Both httpd and svnserve servers are vulnerable. (CVE-2021-28544)

- Subversion's mod_dav_svn is vulnerable to memory corruption. While looking up path-based authorization
rules, mod_dav_svn servers may attempt to use memory which has already been freed. Affected Subversion
mod_dav_svn servers 1.10.0 through 1.14.1 (inclusive). Servers that do not use mod_dav_svn are not
affected. (CVE-2022-24070)

See Also

https://security.alpinelinux.org/vuln/CVE-2021-28544

https://security.alpinelinux.org/vuln/CVE-2022-24070

Plugin Details

Severity: Medium

ID: 424544

Version: Revision 1.8

Type: Local

Published: 4/4/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

CVSS v2

Risk Factor: Low

Base Score: 3.5

Temporal Score: 2.7

Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:N/A:N

CVSS Score Source: CVE-2021-28544

CVSS v3

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 4/12/2022

Reference Information

CVE: CVE-2021-28544, CVE-2022-24070