CVE-2009-2473
published 2009-08-21CVE-2009-2473: neon before 0.28.6, when expat is used, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial…
PriorityP428medium4.3CVSS 2.0
AVNACMAuNCNINAP
EXPLOIT
EPSS
8.44%
94.3th percentile
neon before 0.28.6, when expat is used, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | neon27 | — | — |
| webdav | neon | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
vendor_debian6.5LOW
vendor_redhat6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9vc6-7j3x-7x4v: neon before 0
ghsa_unreviewed·2022-05-02·CVSS 6.5
CVE-2009-2473 [MEDIUM] GHSA-9vc6-7j3x-7x4v: neon before 0
neon before 0.28.6, when expat is used, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
Red Hat
neon: billion laughs DoS attack
vendor_redhat·2009-08-18·CVSS 6.5
CVE-2009-2473 [MEDIUM] neon: billion laughs DoS attack
neon: billion laughs DoS attack
neon before 0.28.6, when expat is used, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
Package: gnome-vfs2 (Red Hat Enterprise Linux 4) - Will not fix
Debian
CVE-2009-2473: neon27 - neon before 0.28.6, when expat is used, does not properly detect recursion durin...
vendor_debian·2009·CVSS 6.5
CVE-2009-2473 [MEDIUM] CVE-2009-2473: neon27 - neon before 0.28.6, when expat is used, does not properly detect recursion durin...
neon before 0.28.6, when expat is used, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
No detection rules found.
http://lists.apple.com/archives/security-announce/2010//Nov/msg00000.htmlhttp://lists.manyfish.co.uk/pipermail/neon/2009-August/001044.htmlhttp://lists.manyfish.co.uk/pipermail/neon/2009-August/001045.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0131.htmlhttp://secunia.com/advisories/36371http://support.apple.com/kb/HT4435http://www.mandriva.com/security/advisories?name=MDVSA-2009:221http://www.vupen.com/english/advisories/2009/2341https://exchange.xforce.ibmcloud.com/vulnerabilities/52633https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9461https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00924.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-August/msg00945.htmlhttp://lists.apple.com/archives/security-announce/2010//Nov/msg00000.htmlhttp://lists.manyfish.co.uk/pipermail/neon/2009-August/001044.htmlhttp://lists.manyfish.co.uk/pipermail/neon/2009-August/001045.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0131.htmlhttp://secunia.com/advisories/36371http://support.apple.com/kb/HT4435http://www.mandriva.com/security/advisories?name=MDVSA-2009:221http://www.vupen.com/english/advisories/2009/2341https://exchange.xforce.ibmcloud.com/vulnerabilities/52633https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9461https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00924.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-August/msg00945.html
2009-08-21
Published