CVE-2024-45720 HIGH

CVE-2024-45720: Apache Subversion: Command line argument injection on Windows platforms

Vendor Apache Software Foundation

Product Apache Subversion

Weakness CWE-78

Published October 9, 2024

Last update October 9, 2024

View on NVD All CVEs

CVSS base score

8.2/10

Attack vector Local

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

Description

On Windows platforms, a "best fit" character encoding conversion of command line arguments to Subversion's executables (e.g., svn.exe, etc.) may lead to unexpected command line argument interpretation, including argument injection and execution of other programs, if a specially crafted command line argument string is processed. All versions of Subversion up to and including Subversion 1.14.3 are affected on Windows platforms only. Users are recommended to upgrade to version Subversion 1.14.4, which fixes this issue. Subversion is not affected on UNIX-like platforms.

Key dates

Disclosure timeline

October 9, 2024 CVE published

October 9, 2024 Record updated

Identifiers

CVE CVE-2024-45720

CWE CWE-78

CVSS 8.2 / HIGH

Affected versions

Vendor Apache Software Foundation

Product Apache Subversion

Affected ≥ 1.0.0 and ≤ 1.14.3