CVE-2024-45720: Code Execution Flaw Discovered in Apache Subversion for Windows
A critical security vulnerability, CVE-2024-45720 (CVSS 8.2), has been identified in Apache Subversion (SVN), a popular version control system widely used by developers to maintain source code, web pages, and documentation. This flaw primarily affects Windows platforms, with the potential for command line argument injection, leading to the execution of unintended programs.
According to the security advisory from the Apache Subversion project, the vulnerability stems from how command line arguments are processed on Windows platforms. Specifically, the issue arises due to a “best fit” character encoding conversion that takes place when command line arguments are passed to Subversion executables like svn.exe. As the advisory explains: “An attacker who can run one of Subversion’s executables (svn.exe, etc.) with a specially crafted command line argument string could take advantage of the character encoding conversion process to cause unexpected command line argument interpretation, leading to argument injection and execution of other programs.”
This flaw is exacerbated by the fact that Windows handles command line arguments differently from UNIX-like platforms. On Windows, command line arguments are passed to a program as a single string, which the program must then parse into individual arguments. In doing so, a “best fit” character encoding conversion occurs, particularly when certain Unicode characters are involved, which can lead to unpredictable outcomes, including the execution of malicious commands.
The advisory notes: “Subversion is known to be affected on Windows 10 and 11; it may be affected on most other versions of Windows as well.”
Although the issue is isolated to Windows, the widespread use of Apache Subversion in development environments increases the risk, as many teams rely on Subversion to manage their version control processes across various projects. This flaw has no impact on UNIX-like platforms, such as Linux and macOS, as these platforms handle command line arguments differently.
This vulnerability was reported by security researchers Orange Tsai and Splitline from the DEVCORE Research Team, known for their expertise in identifying critical software vulnerabilities.
The CVE-2024-45720 vulnerability has been patched in Subversion 1.14.4, and all users on Windows platforms are strongly urged to upgrade to this fixed release. For those who are unable to immediately upgrade, the advisory offers a temporary mitigation by applying the patch available from the Subversion project.
