Vulnerability Details : CVE-2009-2473
neon before 0.28.6, when expat is used, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
Vulnerability category: Denial of service
Products affected by CVE-2009-2473
- cpe:2.3:a:webdav:neon:0.28.6:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2009-2473
0.27%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 63 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2009-2473
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:N/A:P |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2009-2473
-
Assigned by: nvd@nist.gov (Primary)
Vendor statements for CVE-2009-2473
-
Red Hat 2009-09-22Updated neon packages for Red Hat Enterprise Linux 4 and 5 were released via: https://rhn.redhat.com/errata/RHSA-2009-1452.html Embedded copy of the neon library is included in the versions of gnome-vfs2 packages as shipped with Red Hat Enteprise Linux 4 and Red Hat Enteprise Linux 5. The Red Hat Security Response Team has rated this issue as having low security impact on gnome-vfs2, future updates may address this flaw.
References for CVE-2009-2473
-
http://lists.apple.com/archives/security-announce/2010//Nov/msg00000.html
Apple - Lists.apple.com
-
http://lists.manyfish.co.uk/pipermail/neon/2009-August/001044.html
-
http://rhn.redhat.com/errata/RHSA-2013-0131.html
-
http://lists.manyfish.co.uk/pipermail/neon/2009-August/001045.html
-
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00945.html
[SECURITY] Fedora 11 Update: neon-0.28.6-1.fc11
-
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html
[security-announce] SUSE Security Summary Report: SUSE-SR:2009:018 - openSUSE Security Announce - openSUSE Mailing Lists
-
http://support.apple.com/kb/HT4435
We're sorry.
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9461
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/52633
-
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00924.html
[SECURITY] Fedora 10 Update: neon-0.28.6-1.fc10
-
http://www.mandriva.com/security/advisories?name=MDVSA-2009:221
Mandriva
-
http://www.vupen.com/english/advisories/2009/2341
Site en constructionPatch;Vendor Advisory
Jump to