-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability CVE-2024-46901 concerns insufficient validation of filenames against control characters in Apache Subversion repositories served via mod_dav_svn. The provided patch information from the advisory clearly shows the introduction of a new validation function, 'svn_repos__validate_new_path', and its integration into several functions within the mod_dav_svn module and one function in libsvn_repos. The functions 'append_locks', 'open_stream', 'create_collection', 'copy_resource', and 'move_resource' are all part of 'mod_dav_svn' and handle client requests that involve paths (for locking, creating files/collections, copying, and moving resources). The patch explicitly adds calls to 'svn_repos__validate_new_path' in these functions, indicating that they previously lacked this specific validation and would process paths containing control characters, leading to the vulnerability. The function 'add_file_or_directory' in 'libsvn_repos/commit.c' is involved in the core commit process. Its validation call was changed from 'svn_path_check_valid' to 'svn_repos__validate_new_path'. This suggests that even if some validation was present, it was insufficient in the context of commits originating from 'mod_dav_svn', or this change was made for consistency with the stricter validation now enforced at the 'mod_dav_svn' layer. Since the vulnerability allows committing a corrupted revision through 'mod_dav_svn', this function is part of the vulnerable pathway. These functions, prior to the patch, would accept and process paths with control characters when operations were performed via mod_dav_svn, leading to potential repository corruption and denial of service.
KEV Misses 88% of Exploited CVEs- Get the report