Lucene search

K

[email protected]NVD:CVE-2015-8382

HistoryDec 02, 2015 - 1:59 a.m.

CVE-2015-8382

2015-12-0201:59:05

CWE-119

[email protected]

web.nvd.nist.gov

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

9.1 High

AI Score

Confidence

High

0.05 Low

EPSS

Percentile

92.9%

The match function in pcre_exec.c in PCRE before 8.37 mishandles the /(?:((abcd))|(((?:(?:(?:(?:abc|(?:abcdef))))b)abcdefghi)abc)|((*ACCEPT)))/ pattern and related patterns involving (*ACCEPT), which allows remote attackers to obtain sensitive information from process memory or cause a denial of service (partially initialized memory and application crash) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-2547.

Affected configurations

NVD

Node

pcreperl_compatible_regular_expression_libraryMatch8.36

References

git.php.net/?p=php-src.git%3Ba=commit%3Bh=c351b47ce85a3a147cfa801fa9f0149ab4160834

vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup

vcs.pcre.org/pcre/code/trunk/pcre_exec.c?r1=1502&r2=1510

www.openwall.com/lists/oss-security/2015/08/04/3

www.openwall.com/lists/oss-security/2015/11/29/1

www.securityfocus.com/bid/76157

bto.bluecoat.com/security-advisory/sa128

bugs.exim.org/show_bug.cgi?id=1537

bugzilla.redhat.com/show_bug.cgi?id=1187225

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

9.1 High

AI Score

Confidence

High

0.05 Low

EPSS

Percentile

92.9%

Related for NVD:CVE-2015-8382

cvelist1 ubuntucve1 prion1 debiancve1 cve1 ibm6 nessus9 f52 openwrt1 symantec1 openvas7 ubuntu1 suse2