If a user had issues with SVNBridge on their server, it was recommended to first verify if the application is enabled. If the application is not enabled, then the server should be upgraded. Upgrading the server will resolve the issue. If the application is enabled and still has issues, then contact GitHub Enterprise Support for assistance. A vulnerability was identified in the installation and configuration of the SVNBridge application that if a user does not have SSL enabled on their server, then an attacker would be able to access the server using a server-side request forgery (SSRF). This could let an attacker access any data that is being stored on the server. To exploit this vulnerability, an attacker would need to gain access via a server-side request forgery (SSRF) that would let an attacker control the data being deserialized. This vulnerability was reported to GitHub Enterprise Server security on May 14, 2018.

CVE-2023-23730

A vulnerability was identified in the installation and configuration of the SVNBridge application that if a user does not have SSL enabled on their server, then an attacker would be able to access the server using a server-side request forgery (SSRF). This could let an attacker access any data that is being stored on the server. To exploit this vulnerability, an attacker would need to gain access via a server-side request forgery (SSRF) that would let an attacker control the data being deserialized. This vulnerability was reported to GitHub Enterprise Server security on May 14, 2018.

ID Summary

The application was vulnerable to a SSRF vulnerability. If the application was enabled, then it would not be exploitable. If the application was not enabled and upgraded, then the vulnerability would be resolved.

GitHub Enterprise Server Security reported to GitHub Enterprise on May 14th that SVNBridge had a vulnerability in their installation and configuration process. The SVNBridge application is an open source web service that can be used with Git, leading to easier updates and collaboration for developers through Git. The vulnerability identified in SVNBridge could allow for a server-side request forgery (SSRF) if SSL wasn't enabled on the server hosting SVNBridge. This could allow an attacker to access any data stored on the server via this vulnerability. If someone had SVNBridge installed but they didn't have SSL enabled and they were using Git, then they should contact GitHub Enterprise Support who will help them resolve the issue.

Confirming if the server has SSL enabled

To confirm if the server has SSL enabled, a user can use the following command:
openssl s_client -connect example.com:443
If the response is similar to this one then it means that SSL is enabled on that server:
"CONNECTED(00000003) "
"200 OK (extended serial data) "
If however, the response is similar to this one then it means that the server does not have SSL enabled:
"CONNECTED(00000003) "
“Freshmeat.net does not offer such service.”

Summary of CVE-2022-23734

Information about a vulnerability that would allow an attacker to gain access to the server using a server-side request forgery (SSRF) was reported on May 14, 2018. If a user does not have SSL enabled on their server and SVNBridge is installed on the server, then an attacker would be able to access the server using a server-side request forgery (SSRF).

Timeline

Published on: 10/19/2022 14:15:00 UTC
Last modified on: 10/20/2022 19:40:00 UTC

References