4
CVSSv2

CVE-2016-8734

Published: 16/10/2017 Updated: 20/10/2020
CVSS v2 Base Score: 4 | Impact Score: 2.9 | Exploitability Score: 8
CVSS v3 Base Score: 6.5 | Impact Score: 3.6 | Exploitability Score: 2.8
VMScore: 357
Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P

Vulnerability Summary

Apache Subversion's mod_dontdothat module and HTTP clients 1.4.0 up to and including 1.8.16, and 1.9.0 up to and including 1.9.4 are vulnerable to a denial-of-service attack caused by exponential XML entity expansion. The attack can cause the targeted process to consume an excessive amount of CPU resources or memory.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.
Vulnerable Product Search on Vulmon Subscribe to Product

apache subversion 1.5.2

apache subversion 1.5.3

apache subversion 1.5.4

apache subversion 1.5.5

apache subversion 1.5.6

apache subversion 1.6.10

apache subversion 1.6.11

apache subversion 1.6.12

apache subversion 1.6.13

apache subversion 1.7.4

apache subversion 1.7.5

apache subversion 1.8.2

apache subversion 1.7.3

apache subversion 1.8.0

apache subversion 1.7.1

apache subversion 1.9.1

apache subversion 1.7.6

apache subversion 1.8.1

apache subversion 1.4.6

apache subversion 1.6.8

apache subversion 1.7.10

apache subversion 1.7.7

apache subversion 1.5.8

apache subversion 1.6.1

apache subversion 1.9.0

apache subversion 1.8.3

apache subversion 1.7.8

apache subversion 1.6.15

apache subversion 1.5.1

apache subversion 1.6.17

apache subversion 1.9.2

apache subversion 1.6.6

apache subversion 1.8.16

apache subversion 1.8.12

apache subversion 1.6.19

apache subversion 1.4.5

apache subversion 1.6.20

apache subversion 1.9.4

apache subversion 1.7.17

apache subversion 1.7.19

apache subversion 1.4.2

apache subversion 1.6.2

apache subversion 1.7.11

apache subversion 1.7.16

apache subversion 1.6.18

apache subversion 1.6.16

apache subversion 1.6.21

apache subversion 1.6.5

apache subversion 1.4.0

apache subversion 1.4.4

apache subversion 1.5.7

apache subversion 1.8.9

apache subversion 1.7.9

apache subversion 1.7.12

apache subversion 1.6.3

apache subversion 1.8.5

apache subversion 1.6.0

apache subversion 1.6.7

apache subversion 1.7.2

apache subversion 1.7.18

apache subversion 1.6.4

apache subversion 1.7.13

apache subversion 1.6.23

apache subversion 1.4.3

apache subversion 1.8.10

apache subversion 1.8.7

apache subversion 1.7.20

apache subversion 1.7.14

apache subversion 1.6.14

apache subversion 1.7.15

apache subversion 1.5.0

apache subversion 1.8.11

apache subversion 1.6.9

apache subversion 1.4.1

apache subversion 1.8.8

apache subversion 1.7.0

apache subversion 1.8.14

apache subversion 1.9.3

apache subversion 1.8.13

apache subversion 1.8.6

apache subversion 1.8.4

apache subversion 1.8.15

debian debian linux 8.0

debian debian linux 9.0

Vendor Advisories

Several problems were discovered in Subversion, a centralised version control system CVE-2016-8734 (jessie only) Subversion's mod_dontdothat server module and Subversion clients using http(s):// were vulnerable to a denial-of-service attack caused by exponential XML entity expansion CVE-2017-9800 Joern Schneeweisz discovered that ...
Several security issues were fixed in Subversion ...
It was discovered that Subversion's mod_dontdothat module and Subversion clients using http(s):// are vulnerable to a denial-of-service attack caused by exponential XML entity expansion An authenticated remote attacker can cause denial-of-service conditions on the server using mod_dontdothat by sending a specially crafted REPORT request The atta ...
Subversion's mod_dontdothat module and HTTP clients 140 through 1816, and 190 through 194 are vulnerable to a denial-of-service attack caused by exponential XML entity expansion The attack can cause the targeted process to consume an excessive amount of CPU resources or memory ...

Github Repositories

Tools that utilize the Red Hat Security Data API

rhsecapi rhsecapi makes it easy to interface with the Red Hat Security Data API -- even from behind a proxy From the rpm description: Leverage Red Hat's Security Data API to find CVEs by various attributes (date, severity, scores, package, IAVA, etc) Retrieve customizable details about found CVEs or about specific CVE ids input on cmdline Parse arbitrary stdin for CVE

rhsecapi rhsecapi makes it easy to interface with the Red Hat Security Data API -- even from behind a proxy From the rpm description: Leverage Red Hat's Security Data API to find CVEs by various attributes (date, severity, scores, package, IAVA, etc) Retrieve customizable details about found CVEs or about specific CVE ids input on cmdline Parse arbitrary stdin for CVE