CVE-2004-0398

Heap-based buffer overflow in the ne_rfc1036_parse date parsing function for the neon library (libneon) 0.24.5 and earlier, as used by cadaver before 0.22, allows remote WebDAV servers to execute arbitrary code on the client.

Published: 2004-07-07 Last update: 2026-04-16 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2004-0398 is rated Moderate Risk (61.9/100): CVSS High severity, with medium exploitation likelihood (EPSS 4.80%). Review affected assets and schedule remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2004-0398

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2025-04-14 3.91% 4.80% +0.89%
2 2025-03-30 4.71% 3.91% -0.80%
3 2025-03-29 4.71%

Full EPSS history (7 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2004-0398

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
7.5 2.0 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:P)
Partial availability impact.
 10.0 6.4 [email protected]

Weakness enumeration for CVE-2004-0398

OS Trackers for CVE-2004-0398

vendor priority summary link
debian not yet assigned CVE-2004-0398 not yet assigned priority: Debian including 1 source packages (cadaver), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2004-0398
redhat high https://access.redhat.com/security/cve/CVE-2004-0398
ubuntu medium CVE-2004-0398 medium priority: Ubuntu including 4 source packages (cadaver, neon, neon24, neon26), 16 status rows across 4 suites (dapper, edgy, feisty, upstream): released 9, needs-triage 4, DNE 3. https://ubuntu.com/security/CVE-2004-0398

Affected software / configurations for CVE-2004-0398

Vendor Product Version Raw CPE
webdav cadaver < 0.22.0 cpe:2.3:a:webdav:cadaver:*:*:*:*:*:*:*:*
webdav neon <= 0.24.5 cpe:2.3:a:webdav:neon:*:*:*:*:*:*:*:*
debian debian_linux 3.0 cpe:2.3:o:debian:debian_linux:3.0:*:*:*:*:*:*:*

References for CVE-2004-0398

URL Tags
http://archives.neohapsis.com/archives/fulldisclosure/2004-05/0982.html Broken Link
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000841 Broken Link
http://marc.info/?l=bugtraq&m=108498433632333&w=2 Third Party Advisory
http://marc.info/?l=bugtraq&m=108500057108022&w=2 Third Party Advisory
http://secunia.com/advisories/11638 Third Party Advisory
http://secunia.com/advisories/11650 Third Party Advisory
http://secunia.com/advisories/11673 Third Party Advisory
http://security.gentoo.org/glsa/glsa-200405-13.xml Third Party Advisory
http://security.gentoo.org/glsa/glsa-200405-15.xml Third Party Advisory
http://www.ciac.org/ciac/bulletins/o-148.shtml Broken Link
http://www.debian.org/security/2004/dsa-506 Third Party Advisory
http://www.debian.org/security/2004/dsa-507 Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDKSA-2004:049 Third Party Advisory
http://www.osvdb.org/6302 Broken Link
http://www.redhat.com/support/errata/RHSA-2004-191.html Third Party Advisory
http://www.securityfocus.com/bid/10385 Third Party Advisory VDB Entry
https://bugzilla.fedora.us/show_bug.cgi?id=1552 Broken Link
https://exchange.xforce.ibmcloud.com/vulnerabilities/16192 Third Party Advisory VDB Entry
cvelogic Threat Intelligence