•  
      request #16213 SQL injection in the "SVN core" commits browser
    Infos
    #16213
    Thomas Gerbet (tgerbet)
    2021-10-19 12:07
    2020-08-12 11:48
    17415
    Details
    SQL injection in the "SVN core" commits browser

    Tuleap does not sanitize properly user inputs when constructing the SQL query to browse and search commits in the legacy Subversion repositories.

    Impact

    An attacker with read access to a "SVN core" repository could execute arbitrary SQL queries.
    CVSSv3.1 score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

    Exploitation

    Issue can be demonstrated in a repo with multiple commits by adding the morder GET parameter to the request and setting it to something revision LIMIT 1--. Only one commit will be displayed instead of the complete list.

    References

    CWE-89
    OWASP SQL Injection

    CVE-2021-41154

    SCM/Subversion
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Thomas Gerbet (tgerbet)
    Closed
    2020-08-12
    Attachments
    Empty
    References

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2021-10-19 12:07

    CVE-2021-41154 has been assigned to this issue.


    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes