TortoiseSVN <= 1.12.1 Remote Code Execution (RCE) Vulnerability

Technical Details

Severity Level:

High Severity

CVSS Score:

10.0

CVSS Base Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C

Summary:
This host is installed with TortoiseSVN and is prone to a remote code-execution vulnerability.

Impact:
Successful exploitation could allow remote attackers to execute arbitrary code to compromise the target system.

Affected Versions:
TortoiseSVN through version 1.12.1.

Technical Details:
These vulnerabilities exist: - The URI handler of TortoiseSVN (Tsvncmd:) allows a customised diff operation on Excel workbooks, which could be used to open remote workbooks without protection from macro security settings. - The `tsvncmd:command:diff?path:[file1]?path2:[file2]` will execute a customised diff on [file1] and [file2] based on the file extension. For xls files, it will execute the script `diff-xls.js` using wscript, which will open the two files for analysis without any macro security warning.

Recommendations:
Update to TortoiseSVN version 1.12.2 or later.

Detection Type:
Windows Registry

Solution Type:
Vendor Patch

Family:

General

Creation Time:

2019-08-28 15:43:37

Modification Time:

2019-08-30 09:47:09

Find and Fix this Vulnerability:

Mageni can help you to find out if you have this or more vulnerabilities exposing you to hackers, ransomware and malware: Download Mageni's Free Edition

NVD CVE ID:
CVE-2019-14422

Don't pay for a vulnerability scanning and management platform. This one is free.

Mageni provides a free vulnerability scanning and management platform which helps you need to find, prioritize, remediate and manage your vulnerabilities.