Vulnerability Description
Apache Subversion 1.0.0 through 1.7.x before 1.7.17 and 1.8.x before 1.8.10 uses an MD5 hash of the URL and authentication realm to store cached credentials, which makes it easier for remote servers to obtain the credentials via a crafted authentication realm.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Opensuse | Opensuse | 12.3 |
| Apache | Subversion | 1.0.0 |
| Canonical | Ubuntu Linux | 12.04 |
| Apple | Xcode | 6.1.1 |
| Redhat | Enterprise Linux Desktop | 6.0 |
| Redhat | Enterprise Linux Hpc Node | 6.0 |
| Redhat | Enterprise Linux Server | 6.0 |
| Redhat | Enterprise Linux Server Eus | 6.6.z |
| Redhat | Enterprise Linux Workstation | 6.0 |
Related Weaknesses (CWE)
References
- http://lists.apple.com/archives/security-announce/2015/Mar/msg00003.htmlMailing ListThird Party Advisory
- http://lists.opensuse.org/opensuse-updates/2014-08/msg00038.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2015-0165.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2015-0166.htmlThird Party Advisory
- http://secunia.com/advisories/59432
- http://secunia.com/advisories/59584
- http://secunia.com/advisories/60722
- http://subversion.apache.org/security/CVE-2014-3528-advisory.txtVendor Advisory
- http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
- http://www.securityfocus.com/bid/68995
- http://www.ubuntu.com/usn/USN-2316-1Vendor Advisory
- https://security.gentoo.org/glsa/201610-05
- https://support.apple.com/HT204427Third Party Advisory
- http://lists.apple.com/archives/security-announce/2015/Mar/msg00003.htmlMailing ListThird Party Advisory
- http://lists.opensuse.org/opensuse-updates/2014-08/msg00038.htmlThird Party Advisory
FAQ
What is CVE-2014-3528?
CVE-2014-3528 is a vulnerability with a CVSS score of 4.0 (MEDIUM). Apache Subversion 1.0.0 through 1.7.x before 1.7.17 and 1.8.x before 1.8.10 uses an MD5 hash of the URL and authentication realm to store cached credentials, which makes it easier for remote servers t...
How severe is CVE-2014-3528?
CVE-2014-3528 has been rated MEDIUM with a CVSS base score of 4.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-3528?
Check the references section above for vendor advisories and patch information. Affected products include: Opensuse Opensuse, Apache Subversion, Canonical Ubuntu Linux, Apple Xcode, Redhat Enterprise Linux Desktop.