Lucene search

K
rosalinuxROSA LABROSA-SA-2021-1947
HistoryJul 02, 2021 - 5:40 p.m.

Advisory ROSA-SA-2021-1947

2021-07-0217:40:57
ROSA LAB
abf.rosalinux.ru
14

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.1 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.067 Low

EPSS

Percentile

93.9%

Software: pcre 8.32
OS: Cobalt 7.9

CVE-ID: CVE-2015-2327
CVE-Crit: MEDIUM
CVE-DESC: PCRE before version 8.36 incorrectly handles the pattern / (((a \ 2) | (a *) \ g )) * / / and related patterns with certain internal recursive backlinks, allowing remote attackers to cause a denial of service (segmentation error) or possibly an unspecified other impact using a crafted regular expression, as demonstrated by the JavaScript RegExp object detected by Konqueror.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2015-2326
CVE-Crit: MEDIUM
CVE-DESC: The pcre_compile2 function in PCRE before 8.37 allows context-sensitive attackers to compile invalid code and cause a denial of service (read out of bounds) by using a regular expression with a group containing both a direct invocation subroutine call and a recursive backreference, as shown by “(((? +1) (\ 1)) /”.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2015-2325
CVE-Crit: HIGH
CVE-DESC: The compile_branch feature in PCRE before 8.37 allows context-dependent attackers to compile invalid code, cause a denial of service (out-of-range reads from the heap and crash), or possibly have other undefined impact via a regular expression with a group containing a direct reference repeated a large number of times in a repeated outer group that has a zero minimum quantifier.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2015-8380
CVE-Crit: HIGH
CVE-DESC: The pcre_exec function in pcre_exec.c in PCRE before version 8.38 improperly handles // a pattern with string \ 01, allowing remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have an unspecified other impact via a crafted regular expression, as demonstrated by the JavaScript RegExp object detected by Konqueror.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2015-8381
CVE-Crit: HIGH
CVE-DESC: the compile_regex function in pcre_compile.c in PCRE before 8.38 and pcre2_compile.c in PCRE2 before 10.2x incorrectly handles / (? J :(? | (:(? | (? ‘R’) (\ k’R ‘) | ((?’ R ‘)))) H’Rk’Rf) | s (?’ R ‘)))) / and / (? J :(? | (:(? | (?’ R ‘) (\ z (? | (?’ ‘R’) (\ k’R ‘) | ((?’ R ‘)))) k’R’) | ((? ‘R’))) H’Ak’Rf) | s ((? ‘R’))) / templates and related templates with specific group references, allowing remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have an unspecified other impact using a crafted regular expression, as demonstrated by the JavaScript RegExp object detected by Konqueror.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2015-8383
CVE-Crit: HIGH
CVE-DESC: PCRE before 8.38 improperly handles certain repeated conditional groups, allowing remote attackers to cause a denial of service (buffer overflow) or possibly have an unspecified other impact using a crafted regular expression, as demonstrated by the JavaScript RegExp object detected by Konqueror.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2015-8384
CVE-Crit: HIGH
CVE-DESC: PCRE before version 8.38 does not properly handle the pattern / (? J) (? ‘D’ (? ‘D’ \ g {d})) / and related patterns with certain recursive backlinks, allowing remote attackers to cause a denial of service (buffer overflow) or possibly have an unspecified other impact via a crafted regular expression, as demonstrated by the JavaScript RegExp object encountered by Konqueror, an issue related to CVE-2015-8392 and CVE-2015-8395.
CVE-STATUS: default
CVE-REV: Default

CVE-ID: CVE-2015-8387
CVE-Crit: HIGH
CVE-DESC: PCRE before version 8.38 incorrectly handles (? 123) subroutine calls and associated subroutine calls, allowing remote attackers to cause a denial of service (integer overflow) or possibly have an unspecified other impact using a crafted regular expression, as shown in JavaScript. RegExp object detected by Konqueror.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2015-8389
CVE-Crit: HIGH
CVE-DESC: PCRE before version 8.38 incorrectly handles the / (?: | a | a |) {100} x / pattern and related patterns, allowing remote attackers to cause a denial of service (infinite recursion) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by the JavaScript RegExp object detected by Konqueror.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2015-8390
CVE-Crit: HIGH
CVE-DESC: PCRE before version 8.38 incorrectly handles [: and \\\ substrings in character classes, allowing remote attackers to cause a denial of service (uninitialized read from memory) or possibly have an unspecified other impact using a crafted regular expression, as shown by the JavaScript RegExp object detected by Konqueror.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2015-8392
CVE-Crit: HIGH
CVE-DESC: PCRE before version 8.38 incorrectly handles certain instances of substring (? |, Which allows remote attackers to cause a denial of service (unintended recursion and buffer overflow) or possibly have an unspecified other impact using a crafted regular expression, as shown by the JavaScript RegExp object encountered by Konqueror, an issue related to CVE-2015-8384 and CVE-2015-8395.
CVE-STATUS: default
CVE-REV: Default

CVE-ID: CVE-2015-8393
CVE-Crit: HIGH
CVE-DESC: pcregrep in PCRE before version 8.38 does not properly handle the -q parameter for binaries, which could allow remote attackers to obtain sensitive information via a crafted file, as demonstrated by a CGI script that sends standard output data to a client.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2015-8394
CVE-Crit: HIGH
CVE-DESC: PCRE before version 8.38 incorrectly handles (? () and (? (R )) conditions, allowing remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by the JavaScript RegExp object detected by Konqueror.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2015-8395
CVE-Crit: HIGH
CVE-DESC: PCRE before 8.38 improperly handles certain references, allowing remote attackers to cause a denial of service or possibly have an unspecified other impact using a crafted regular expression, as demonstrated by the JavaScript RegExp object encountered by Konqueror, an issue related to CVE- 2015-8384 and CVE-2015-8392.
CVE-STATUS: default
CVE-REV: Default

CVE-ID: CVE-2017-6004
CVE-Crit: HIGH
CVE-DESC: The compile_bracket_matchingpath function in pcre_jit_compile.c in PCRE prior to 8.x before revision 1680 (e.g. linked PHP 7.1.1.1) allows remote attackers to cause a denial of service (read out of range and application failure ) via a crafted regular expression.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2017-8399
CVE-Crit: CRITICAL
CVE-DESC: PCRE2 before 10.30 has an out-of-range entry caused by a stack-based buffer overflow in pcre2_match.c, which is due to a “pattern with a very large number of captures”.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2019-20838
CVE-Crit: HIGH
CVE-DESC: libpcre in PCRE before 8.43 allows topic buffer re-reading in JIT when UTF is disabled and \ X or \ R have more than one fixed quantizer, issue related to CVE-2019-20454.
CVE-STATUS: Default
CVE-REV: default

CVE-ID: CVE-2020-14155
CVE-Crit: MEDIUM
CVE-DESC: libpcre in PCRE before 8.44 allows integer overflow through a large number after (? C substring.
CVE-STATUS: default
CVE-REV: default

OSVersionArchitecturePackageVersionFilename
Cobaltanynoarchpcre< 8.32UNKNOWN

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.1 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.067 Low

EPSS

Percentile

93.9%