ID CVE-2008-3746
Summary neon 0.28.0 through 0.28.2 allows remote servers to cause a denial of service (NULL pointer dereference and crash) via vectors related to Digest authentication, Digest domain parameter support, and the parse_domain function.
References
Vulnerable Configurations
  • cpe:2.3:a:webdav:neon:0.28.0
    cpe:2.3:a:webdav:neon:0.28.0
  • cpe:2.3:a:webdav:neon:0.28.1
    cpe:2.3:a:webdav:neon:0.28.1
  • cpe:2.3:a:webdav:neon:0.28.2
    cpe:2.3:a:webdav:neon:0.28.2
CVSS
Base: 4.3 (as of 27-08-2008 - 13:01)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_755FA51980A911DD8DE50030843D3802.NASL
    description Joe Orton reports : A NULL pointer deference in the Digest authentication support in neon versions 0.28.0 through 0.28.2 inclusive allows a malicious server to crash a client application, resulting in possible denial of service.
    last seen 2019-02-21
    modified 2018-12-19
    plugin id 34188
    published 2008-09-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=34188
    title FreeBSD : neon -- NULL pointer dereference in Digest domain support (755fa519-80a9-11dd-8de5-0030843d3802)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2009-074.NASL
    description A security vulnerability has been identified and fixed in neon : neon 0.28.0 through 0.28.2 allows remote servers to cause a denial of service (NULL pointer dereference and crash) via vectors related to Digest authentication and Digest domain parameter support (CVE-2008-3746). The updated packages have been upgraded to version 0.28.3 to prevent this.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 37634
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=37634
    title Mandriva Linux Security Advisory : libneon0.27 (MDVSA-2009:074)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2008-7661.NASL
    description This update includes the latest release of neon, fixing a security issue in the Digest authentication domain parameter support. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 34422
    published 2008-10-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=34422
    title Fedora 9 : neon-0.28.3-1.fc9 (2008-7661)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-835-1.NASL
    description Joe Orton discovered that neon did not correctly handle SSL certificates with zero bytes in the Common Name. A remote attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 41046
    published 2009-09-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41046
    title Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : neon, neon27 vulnerabilities (USN-835-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_0_LIBNEON-DEVEL-080821.NASL
    description This update of neon fixes a NULL pointer dereference in the digest authentication code. (CVE-2008-3746)
    last seen 2019-02-21
    modified 2014-06-13
    plugin id 40028
    published 2009-07-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40028
    title openSUSE Security Update : libneon-devel (libneon-devel-166)
refmap via4
bid 30710
confirm http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=476571
fedora FEDORA-2008-7661
mandriva MDVSA-2009:074
mlist
  • [neon] 20080820 CVE-2008-3746: NULL pointer dereference in Digest domain support
  • [neon] 20080820 neon: release 0.28.3 (SECURITY)
  • [oss-security] 20080815 CVE request for neon
  • [oss-security] 20080820 Re: CVE request for neon
sectrack 1020725
secunia
  • 31508
  • 31687
  • 32286
  • 36799
suse SUSE-SR:2008:017
ubuntu USN-835-1
vupen ADV-2008-2420
xf neon-digestauthentication-dos(44511)
statements via4
contributor Tomas Hoger
lastmodified 2008-08-28
organization Red Hat
statement Not vulnerable. This issue did not affect the versions of neon as shipped with Red Hat Enterprise Linux 4, or 5.
Last major update 01-09-2011 - 00:00
Published 27-08-2008 - 11:21
Last modified 07-08-2017 - 21:32
Back to Top