CVE-2009-2473 – Expat 2.0.1 - UTF-8 Character XML Parsing Remote Denial of Service

https://notcve.org/view.php?id=CVE-2009-2473

neon before 0.28.6, when expat is used, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. neon, en versiones anteriores a la 0.28.6, cuando se usa expat, no detecta adecuadamente la recursividad en la expansión de una entidad, esto permite a atacantes dependientes del contexto provocar una denegación de servicio (consumo de la memoria y CPU), mediante un documento XML manipulado que contiene un gran número de referencias anidadas a entidades, una cuestión similar a CVE-2003-1564. • https://www.exploit-db.com/exploits/10206 http://lists.apple.com/archives/security-announce/2010//Nov/msg00000.html http://lists.manyfish.co.uk/pipermail/neon/2009-August/001044.html http://lists.manyfish.co.uk/pipermail/neon/2009-August/001045.html http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html http://rhn.redhat.com/errata/RHSA-2013-0131.html http://secunia.com/advisories/36371 http://support.apple.com/kb/HT4435 http://www.mandriva.com/security&#x • CWE-399: Resource Management Errors •