CVE-2009-2473

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

neon before 0.28.6, when expat is used, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.

References

http://lists.apple.com/archives/security-announce/2010//Nov/msg00000.html

http://lists.manyfish.co.uk/pipermail/neon/2009-August/001044.html

http://lists.manyfish.co.uk/pipermail/neon/2009-August/001045.html

http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html

http://rhn.redhat.com/errata/RHSA-2013-0131.html

http://secunia.com/advisories/36371

http://support.apple.com/kb/HT4435

http://www.mandriva.com/security/advisories?name=MDVSA-2009:221

http://www.vupen.com/english/advisories/2009/2341

https://exchange.xforce.ibmcloud.com/vulnerabilities/52633

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9461

https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00924.html

https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00945.html

Details

Source: MITRE

Published: 2009-08-21

Updated: 2017-09-19

Type: CWE-399

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:webdav:neon:0.28.6:*:*:*:*:*:*:*

Tenable Plugins

View all (20 total)

IDNameProductFamilySeverity
68702Oracle Linux 5 : gnome-vfs2 (ELSA-2013-0131)NessusOracle Linux Local Security Checks
medium
67927Oracle Linux 4 / 5 : neon (ELSA-2009-1452)NessusOracle Linux Local Security Checks
medium
63594Scientific Linux Security Update : gnome-vfs2 on SL5.x i386/x86_64 (20130108)NessusScientific Linux Local Security Checks
medium
63576CentOS 5 : gnome-vfs2 (CESA-2013:0131)NessusCentOS Local Security Checks
medium
63412RHEL 5 : gnome-vfs2 (RHSA-2013:0131)NessusRed Hat Local Security Checks
medium
60667Scientific Linux Security Update : neon on SL4.x, SL5.x i386/x86_64NessusScientific Linux Local Security Checks
medium
800791Mac OS X 10.6 < 10.6.5 Multiple VulnerabilitiesLog Correlation EngineOperating System Detection
high
5705Mac OS X 10.6 < 10.6.5 Multiple VulnerabilitiesNessus Network MonitorGeneric
critical
50548Mac OS X 10.6.x < 10.6.5 Multiple VulnerabilitiesNessusMacOS X Local Security Checks
critical
49905SuSE 10 Security Update : neon (ZYPP Patch Number 6549)NessusSuSE Local Security Checks
medium
43792CentOS 4 / 5 : neon (CESA-2009:1452)NessusCentOS Local Security Checks
medium
42324openSUSE 10 Security Update : libneon-devel (libneon-devel-6550)NessusSuSE Local Security Checks
medium
42317openSUSE Security Update : libneon-devel (libneon-devel-1377)NessusSuSE Local Security Checks
medium
42315openSUSE Security Update : libneon-devel (libneon-devel-1377)NessusSuSE Local Security Checks
medium
42303SuSE 10 Security Update : neon (ZYPP Patch Number 6548)NessusSuSE Local Security Checks
medium
42301SuSE 11 Security Update : libneon (SAT Patch Number 1376)NessusSuSE Local Security Checks
medium
41031RHEL 4 / 5 : neon (RHSA-2009:1452)NessusRed Hat Local Security Checks
medium
40764Mandriva Linux Security Advisory : libneon0.27 (MDVSA-2009:221)NessusMandriva Local Security Checks
medium
40683Fedora 11 : neon-0.28.6-1.fc11 (2009-8815)NessusFedora Local Security Checks
medium
40677Fedora 10 : neon-0.28.6-1.fc10 (2009-8794)NessusFedora Local Security Checks
medium