Info

Disclosure

Jun 24, 2012

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Jun 23, 2012

Description

ViewVC contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered by an unreadable copy source in the SVN revision view, which will disclose unspecified log information to an attacker.

Classification

Location: Location Unknown
Attack Type: Information Disclosure
Impact: Loss of Confidentiality
Solution: Upgrade
Exploit: Exploit Unknown
Disclosure: Vendor Verified

Solution

Upgrade to version 1.1.15 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

ViewVC

1 .1.14

References

CVE ID: 2012-3357 (see also: NVD)
Bugtraq ID: 54199
ISS X-Force ID: 76615
Related OSVDB ID: 83225
Vendor Specific News/Changelog Entry: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=679069
http://freecode.com/projects/viewvc/releases/345868
http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2752&r2=2779&pathrev=HEAD
http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2758
Other Advisory URL: http://www.debian.org/security/2012/dsa-2563
https://lwn.net/Articles/505096/
Mail List Post: http://www.openwall.com/lists/oss-security/2012/06/25/8
Vendor URL: http://www.viewvc.org/

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/83227