CVE-2021-28544: 
Apache Subversion vulnerability analysis and mitigation

CVE-2021-28544 affects Apache Subversion servers, where they reveal 'copyfrom' paths that should be hidden according to configured path-based authorization (authz) rules. When a node has been copied from a protected location, users with access to the copy can see the 'copyfrom' path of the original, revealing the fact that the node was copied. The vulnerability affects both httpd and svnserve servers versions 1.10.0 through 1.14.1 (Apache Advisory).

The vulnerability stems from an implementation error in the helper function detect_changed() which finds and reports on applicable changes. When path-based authorization is used, this function should omit information on nodes that are unreadable per authz rules. However, when a node in a readable location has been copied from an unreadable location, the copyfrom path is incorrectly reported even though it should be hidden. The vulnerability has a CVSS v3.1 Base Score of 4.3 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (Apache Advisory, NVD).

The vulnerability allows users to see the path of protected files or directories that were used as copy sources, even when they don't have permission to access those locations. While only the path is revealed and not the actual contents of the protected files, this information disclosure could potentially expose sensitive directory structures or naming conventions (Apache Advisory).

The vulnerability has been fixed in Subversion versions 1.14.2 and 1.10.8. Users are recommended to upgrade to these or later versions. The fix involves modifying the detect_changed() function to properly handle authorization checks for copyfrom paths. Various distributions have also released patched versions, including Debian (1.10.4-1+deb10u3 for buster and 1.14.1-3+deb11u1 for bullseye) and Fedora (1.14.2-5 for versions 35 and 36) (Debian Advisory, Fedora Update).