ID CVE-2015-5522 Type cve Reporter NVD Modified 2016-12-07T22:10:06
Description
Heap-based buffer overflow in the ParseValue function in lexer.c in tidy before 4.9.31 allows remote attackers to cause a denial of service (crash) via vectors involving a command character in an href.
{"result": {"nessus": [{"id": "FREEBSD_PKG_BD1AB7A50E0111E59976A0F3C100AE18.NASL", "type": "nessus", "title": "FreeBSD : tidy -- heap-buffer-overflow (bd1ab7a5-0e01-11e5-9976-a0f3c100ae18)", "description": "Geoff McLane reports :\n\ntidy is affected by a write out of bounds when processing malformed html files.\n\nThis issue could be abused on server side applications that use php-tidy extension with user input.\n\nThe issue was confirmed, analyzed, and fixed by the tidy5 maintainer.", "published": "2015-06-09T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=84044", "cvelist": ["CVE-2015-5523", "CVE-2015-5522"], "lastseen": "2017-10-29T13:33:24"}, {"id": "UBUNTU_USN-2695-1.NASL", "type": "nessus", "title": "Ubuntu 12.04 LTS / 14.04 LTS / 15.04 : tidy vulnerabilities (USN-2695-1)", "description": "Fernando Munoz discovered that HTML Tidy incorrectly handled memory.\nIf a user or automated system were tricked into processing specially crafted data, applications linked against HTML Tidy could be made to crash, leading to a denial of service, or possibly execute arbitrary code.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2015-07-30T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=85123", "cvelist": ["CVE-2015-5523", "CVE-2015-5522"], "lastseen": "2017-10-29T13:39:16"}, {"id": "DEBIAN_DSA-3309.NASL", "type": "nessus", "title": "Debian DSA-3309-1 : tidy - security update", "description": "Fernando Munoz discovered that invalid HTML input passed to tidy, an HTML syntax checker and reformatter, could trigger a buffer overflow.\nThis could allow remote attackers to cause a denial of service (crash) or potentially execute arbitrary code.\n\nGeoff McLane also discovered that a similar issue could trigger an integer overflow, leading to a memory allocation of 4GB. This could allow remote attackers to cause a denial of service by saturating the target's memory.", "published": "2015-07-20T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=84837", "cvelist": ["CVE-2015-5523", "CVE-2015-5522"], "lastseen": "2017-10-29T13:39:09"}, {"id": "DEBIAN_DLA-273.NASL", "type": "nessus", "title": "Debian DLA-273-1 : tidy security update", "description": "Fernando Muñoz discovered a security issue on the HTML syntax checker and reformatter tidy. Tidy did not properly process specific character sequences, and a remote attacker could exploit this flaw to cause a DoS, or probably, execute arbitrary code. Two different CVEs were assigned to this issue.\n\nCVE-2015-5522\n\nMalformed html documents could lead to a heap-buffer-overflow.\n\nCVE-2015-5523\n\nMalformed html documents could lead to allocate 4Gb of memory.\n\nFor the Squeeze distribution, this issue has been fixed in the 20091223cvs-1+deb6u1 version of tidy.\n\nWe recommend that you upgrade your tidy packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2015-07-20T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=84831", "cvelist": ["CVE-2015-5523", "CVE-2015-5522"], "lastseen": "2017-10-29T13:39:27"}, {"id": "SUSE_SU-2015-1525-1.NASL", "type": "nessus", "title": "SUSE SLED11 Security Update : tidy (SUSE-SU-2015:1525-1)", "description": "This update fixes two heap-based buffer overflows in tidy/libtidy.\nThese vulnerabilities could allow remote attackers to cause a denial of service (crash) via vectors involving a command character in an href. (CVE-2015-5522, CVE-2015-5523)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2015-09-11T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=85904", "cvelist": ["CVE-2015-5523", "CVE-2015-5522"], "lastseen": "2017-10-29T13:36:54"}, {"id": "MACOSX_10_11.NASL", "type": "nessus", "title": "Mac OS X < 10.11 Multiple Vulnerabilities (GHOST)", "description": "The remote host is running a version of Mac OS X that is 10.6.8 or later but prior to 10.11. It is, therefore, affected by multiple vulnerabilities in the following components :\n\n - Address Book\n - AirScan\n - apache_mod_php\n - Apple Online Store Kit\n - AppleEvents\n - Audio\n - bash\n - Certificate Trust Policy\n - CFNetwork Cookies\n - CFNetwork FTPProtocol\n - CFNetwork HTTPProtocol\n - CFNetwork Proxies\n - CFNetwork SSL\n - CoreCrypto\n - CoreText\n - Dev Tools\n - Disk Images\n - dyld\n - EFI\n - Finder\n - Game Center\n - Heimdal\n - ICU\n - Install Framework Legacy\n - Intel Graphics Driver\n - IOAudioFamily\n - IOGraphics\n - IOHIDFamily\n - IOStorageFamily\n - Kernel\n - libc\n - libpthread\n - libxpc\n - Login Window\n - lukemftpd\n - Mail\n - Multipeer Connectivity\n - NetworkExtension\n - Notes\n - OpenSSH\n - OpenSSL\n - procmail\n - remote_cmds\n - removefile\n - Ruby\n - Safari\n - Safari Downloads\n - Safari Extensions\n - Safari Safe Browsing\n - Security\n - SMB\n - SQLite\n - Telephony\n - Terminal\n - tidy\n - Time Machine\n - WebKit\n - WebKit CSS\n - WebKit JavaScript Bindings\n - WebKit Page Loading\n - WebKit Plug-ins\n\nNote that successful exploitation of the most serious issues can result in arbitrary code execution.", "published": "2015-10-05T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=86270", "cvelist": ["CVE-2015-2348", "CVE-2014-9705", "CVE-2015-5883", "CVE-2015-2787", "CVE-2015-0232", "CVE-2015-5903", "CVE-2015-0235", "CVE-2015-2783", "CVE-2015-5825", "CVE-2015-5877", "CVE-2015-3785", "CVE-2015-5847", "CVE-2014-9427", "CVE-2015-3329", "CVE-2015-3415", "CVE-2015-3330", "CVE-2015-5798", "CVE-2015-5922", "CVE-2015-5865", "CVE-2015-5869", "CVE-2015-5879", "CVE-2015-5876", "CVE-2015-5858", "CVE-2015-5862", "CVE-2015-0286", "CVE-2015-5888", "CVE-2015-5796", "CVE-2015-5874", "CVE-2015-5808", "CVE-2015-5860", "CVE-2015-1855", "CVE-2014-3618", "CVE-2015-5812", "CVE-2015-1352", "CVE-2015-5788", "CVE-2015-2301", "CVE-2015-5868", "CVE-2015-5872", "CVE-2015-5805", "CVE-2015-5839", "CVE-2015-5840", "CVE-2014-6277", "CVE-2014-9425", "CVE-2014-9709", "CVE-2015-5828", "CVE-2015-2305", "CVE-2015-5816", "CVE-2015-5873", "CVE-2015-5794", "CVE-2015-0273", "CVE-2015-5807", "CVE-2015-5875", "CVE-2015-5882", "CVE-2015-5842", "CVE-2015-5801", "CVE-2015-5912", "CVE-2015-2331", "CVE-2015-5870", "CVE-2015-5913", "CVE-2015-5818", "CVE-2015-5803", "CVE-2015-5802", "CVE-2015-5792", "CVE-2015-5791", "CVE-2015-5841", "CVE-2015-5793", "CVE-2015-5894", "CVE-2015-5881", "CVE-2015-5795", "CVE-2014-2532", "CVE-2015-5831", "CVE-2014-8147", "CVE-2015-5878", "CVE-2015-5855", "CVE-2014-8611", "CVE-2015-5789", "CVE-2015-5765", "CVE-2015-5871", "CVE-2015-5780", "CVE-2015-5866", "CVE-2015-5901", "CVE-2014-8090", "CVE-2015-5813", "CVE-2015-5824", "CVE-2015-5764", "CVE-2015-5884", "CVE-2015-3416", "CVE-2015-5821", "CVE-2015-5889", "CVE-2015-5867", "CVE-2015-5836", "CVE-2015-5915", "CVE-2015-5900", "CVE-2015-5890", "CVE-2015-5819", "CVE-2015-5800", "CVE-2015-5827", "CVE-2014-7187", "CVE-2015-5826", "CVE-2014-8146", "CVE-2015-5854", "CVE-2015-3414", "CVE-2014-9652", "CVE-2015-5523", "CVE-2015-5820", "CVE-2015-5815", "CVE-2015-5885", "CVE-2015-3801", "CVE-2013-3951", "CVE-2015-5893", "CVE-2015-5917", "CVE-2014-8080", "CVE-2015-5810", "CVE-2015-1351", "CVE-2015-5887", "CVE-2015-5902", "CVE-2015-0287", "CVE-2015-5853", "CVE-2015-5897", "CVE-2015-5823", "CVE-2015-5822", "CVE-2015-5830", "CVE-2015-5849", "CVE-2015-5797", "CVE-2015-5896", "CVE-2015-5833", "CVE-2015-5863", "CVE-2015-5806", "CVE-2015-5809", "CVE-2015-5799", "CVE-2015-5790", "CVE-2015-0231", "CVE-2015-5864", "CVE-2015-5804", "CVE-2014-7186", "CVE-2015-5814", "CVE-2015-5891", "CVE-2015-5817", "CVE-2015-5914", "CVE-2015-5811", "CVE-2015-5522", "CVE-2015-5851", "CVE-2015-5899", "CVE-2015-5767"], "lastseen": "2017-10-29T13:43:07"}], "freebsd": [{"id": "BD1AB7A5-0E01-11E5-9976-A0F3C100AE18", "type": "freebsd", "title": "tidy -- heap-buffer-overflow", "description": "\nGeoff McLane reports:\n\ntidy is affected by a write out of bounds when processing malformed html files.\nThis issue could be abused on server side applications that use php-tidy extension with user input.\nThe issue was confirmed, analyzed, and fixed by the tidy5 maintainer.\n\n", "published": "2015-06-03T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vuxml.freebsd.org/freebsd/bd1ab7a5-0e01-11e5-9976-a0f3c100ae18.html", "cvelist": ["CVE-2015-5523", "CVE-2015-5522"], "lastseen": "2017-07-05T10:15:48"}], "debian": [{"id": "DSA-3309", "type": "debian", "title": "tidy -- security update", "description": "Fernando Mu\u0102\u00b1oz discovered that invalid HTML input passed to tidy, an HTML syntax checker and reformatter, could trigger a buffer overflow. This could allow remote attackers to cause a denial of service (crash) or potentially execute arbitrary code.\n\nGeoff McLane also discovered that a similar issue could trigger an integer overflow, leading to a memory allocation of 4GB. This could allow remote attackers to cause a denial of service by saturating the target's memory.\n\nFor the oldstable distribution (wheezy), these problems have been fixed in version 20091223cvs-1.2+deb7u1.\n\nFor the stable distribution (jessie), these problems have been fixed in version 20091223cvs-1.4+deb8u1.\n\nFor the unstable distribution (sid), these problems will be fixed soon.\n\nWe recommend that you upgrade your tidy packages.", "published": "2015-07-18T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.debian.org/security/dsa-3309", "cvelist": ["CVE-2015-5523", "CVE-2015-5522"], "lastseen": "2017-10-05T13:14:40"}, {"id": "DLA-273", "type": "debian", "title": "tidy -- LTS security update", "description": "Fernando Mu\u0102\u00b1oz discovered a security issue on the HTML syntax checker and reformatter tidy. Tidy did not properly process specific character sequences, and a remote attacker could exploit this flaw to cause a DoS, or probably, execute arbitrary code. Two different CVEs were assigned to this issue.\n\n * [CVE-2015-5522](<https://security-tracker.debian.org/tracker/CVE-2015-5522>)\n\nMalformed html documents could lead to a heap-buffer-overflow.\n\n * [CVE-2015-5523](<https://security-tracker.debian.org/tracker/CVE-2015-5523>)\n\nMalformed html documents could lead to allocate 4Gb of memory.\n\nFor the Squeeze distribution, this issue has been fixed in the 20091223cvs-1+deb6u1 version of tidy.\n\nWe recommend that you upgrade your tidy packages.", "published": "2015-07-18T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.debian.org/security/2015/dla-273", "cvelist": ["CVE-2015-5523", "CVE-2015-5522"], "lastseen": "2017-10-05T13:10:42"}], "ubuntu": [{"id": "USN-2695-1", "type": "ubuntu", "title": "HTML Tidy vulnerabilities", "description": "Fernando Mu\u00f1oz discovered that HTML Tidy incorrectly handled memory. If a user or automated system were tricked into processing specially crafted data, applications linked against HTML Tidy could be made to crash, leading to a denial of service, or possibly execute arbitrary code.", "published": "2015-07-29T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://usn.ubuntu.com/2695-1/", "cvelist": ["CVE-2015-5523", "CVE-2015-5522"], "lastseen": "2018-03-29T18:19:27"}], "openvas": [{"id": "OPENVAS:703309", "type": "openvas", "title": "Debian Security Advisory DSA 3309-1 (tidy - security update)", "description": "Fernando Muoz discovered that invalid HTML input passed to tidy, an\nHTML syntax checker and reformatter, could trigger a buffer overflow.\nThis could allow remote attackers to cause a denial of service (crash)\nor potentially execute arbitrary code.\n\nGeoff McLane also discovered that a similar issue could trigger an\ninteger overflow, leading to a memory allocation of 4GB. This could\nallow remote attackers to cause a denial of service by saturating the\ntarget", "published": "2015-07-18T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=703309", "cvelist": ["CVE-2015-5523", "CVE-2015-5522"], "lastseen": "2017-07-24T12:52:37"}, {"id": "OPENVAS:1361412562310842394", "type": "openvas", "title": "Ubuntu Update for tidy USN-2695-1", "description": "Check the version of tidy", "published": "2015-07-30T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842394", "cvelist": ["CVE-2015-5523", "CVE-2015-5522"], "lastseen": "2017-12-04T11:23:17"}, {"id": "OPENVAS:1361412562310703309", "type": "openvas", "title": "Debian Security Advisory DSA 3309-1 (tidy - security update)", "description": "Fernando Muoz discovered that invalid HTML input passed to tidy, an\nHTML syntax checker and reformatter, could trigger a buffer overflow.\nThis could allow remote attackers to cause a denial of service (crash)\nor potentially execute arbitrary code.\n\nGeoff McLane also discovered that a similar issue could trigger an\ninteger overflow, leading to a memory allocation of 4GB. This could\nallow remote attackers to cause a denial of service by saturating the\ntarget", "published": "2015-07-18T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703309", "cvelist": ["CVE-2015-5523", "CVE-2015-5522"], "lastseen": "2018-04-06T11:25:19"}]}}
