CVE-2024-46901: 
Apache Subversion vulnerability analysis and mitigation

Insufficient validation of filenames against control characters in Apache Subversion repositories served via moddavsvn was discovered as a security vulnerability. This issue affects all versions of Subversion up to and including version 1.14.4 when serving repositories via moddavsvn. The vulnerability was identified and disclosed on December 9, 2024, and has been assigned CVE-2024-46901 (Apache Advisory, NVD).

The vulnerability stems from an incomplete patch for a previous issue (CVE-2013-1968) that unintentionally left moddavsvn vulnerable to control characters in filenames. The issue has been assigned a CVSS v3.1 Base Score of 3.1 (Low) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L. The vulnerability is categorized under CWE-20 (Improper Input Validation) and CWE-116 (Improper Encoding or Escaping of Output) (Apache Advisory).

When exploited, this vulnerability can lead to disruption for users accessing the repository via HTTP. The main symptoms include failed SVN operations such as checkout and svnsync, producing XML response errors, and '500 Internal Server Error' messages when browsing affected files or directories via the web interface. It's important to note that only repositories accessed through moddavsvn are affected, while local repositories and those accessed via file://, svn://, or svn+ssh:// URLs remain unaffected (Apache Advisory).

Users are strongly recommended to upgrade to Subversion version 1.14.5, which includes the fix for this vulnerability. For affected repositories, repair options include fixing bad revision properties using svn propedit over file://, svn://, or svn+ssh:// protocols. Bad paths require a dump/load cycle using svnadmin dump --exclude to filter out problematic paths, followed by loading the result into a fresh repository. For users unable to upgrade immediately, a patch against Subversion 1.14.4 is available (Apache Advisory).