CVE Published: 09/10/2024 |
CVE Updated: 09/10/2024 |
CVE Year: 2024 Source: apache |
Vendor: Apache Software Foundation |
Product: Apache Subversion Status : PUBLISHED
CVE-2024-45720 Description
On Windows platforms, a "best fit" character encoding conversion of command line arguments to Subversion\'s executables (e.g., svn.exe, etc.) may lead to unexpected command line argument interpretation, including argument injection and execution of other programs, if a specially crafted command line argument string is processed.
All versions of Subversion up to and including Subversion 1.14.3 are affected on Windows platforms only. Users are recommended to upgrade to version Subversion 1.14.4, which fixes this issue.
Subversion is not affected on UNIX-like platforms.
Metrics
CVSS Version: 3.1 |
Base Score: 8.2 HIGH Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
l➤ Impact Metrics: Confidentiality Impact (C)* HIGH Integrity Impact (I)* HIGH Availability Impact (A)* HIGH
Weakness Enumeration (CWE)
CWE-ID: CWE-78 CWE Name: CWE-78 Improper Neutralization of Special Elements used in an OS Command (
OS Command Injection
) Source: Apache Software Foundation
Common Attack Pattern Enumeration and Classification (CAPEC)