Medium severity6.8NVD Advisory· Published May 5, 2016· Updated May 6, 2026
CVE-2016-2167
CVE-2016-2167
Description
The canonicalize_username function in svnserve/cyrus_auth.c in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4, when Cyrus SASL authentication is used, allows remote attackers to authenticate and bypass intended access restrictions via a realm string that is a prefix of an expected repository realm string.
Affected products
5cpe:2.3:a:apache:subversion:*:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:apache:subversion:*:*:*:*:*:*:*:*range: <=1.8.15
- cpe:2.3:a:apache:subversion:1.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:subversion:1.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:subversion:1.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:subversion:1.9.3:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- subversion.apache.org/security/CVE-2016-2167-advisory.txtnvdVendor Advisory
- lists.fedoraproject.org/pipermail/package-announce/2016-May/184545.htmlnvd
- lists.opensuse.org/opensuse-updates/2016-05/msg00043.htmlnvd
- lists.opensuse.org/opensuse-updates/2016-05/msg00044.htmlnvd
- mail-archives.apache.org/mod_mbox/subversion-announce/201604.mbox/%3CCAP_GPNgJet+7_MAhomFVOXPgLtewcUw9w=k9zdPCkq5tvPxVMA%40mail.gmail.com%3Envd
- mail-archives.apache.org/mod_mbox/subversion-announce/201604.mbox/%3CCAP_GPNgfn1iKueW51EpmXzXi_URNfGNofZSgOyW1_jnSeNm5DQ%40mail.gmail.com%3Envd
- www.debian.org/security/2016/dsa-3561nvd
- www.securityfocus.com/bid/89417nvd
- www.securitytracker.com/id/1035706nvd
- www.slackware.com/security/viewer.phpnvd
- security.gentoo.org/glsa/201610-05nvd
- www.oracle.com/security-alerts/cpuoct2020.htmlnvd
News mentions
0No linked articles in our index yet.