Skip to main content

Perl Compatible Regular Expression Library CVE-2015-8383

CRITICAL
Buffer Overflow (CWE-119)
2015-12-02 cve@mitre.org
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Dec 02, 2015 - 01:59 cve.org
CRITICAL 9.8

DescriptionCVE.org

PCRE before 8.38 mishandles certain repeated conditional groups, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

AnalysisAI

PCRE before 8.38 mishandles certain repeated conditional groups, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Buffer Overflow (CWE-119), which allows attackers to corrupt memory to execute arbitrary code or crash the application. PCRE before 8.38 mishandles certain repeated conditional groups, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. Affected products include: Pcre Perl Compatible Regular Expression Library, Fedoraproject Fedora, Php. Version information: before 8.38.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use memory-safe languages or bounds-checking. Enable ASLR, DEP/NX, stack canaries. Use safe string functions.

CVE-2015-8381 HIGH POC
7.5 Dec 02

The compile_regex function in pcre_compile.c in PCRE before 8.38 and pcre2_compile.c in PCRE2 before 10.2x mishandles th

CVE-2015-2327 HIGH POC
7.5 Dec 02

PCRE before 8.36 mishandles the /(((a\2)|(a*)\g<-1>))*/ pattern and related patterns with certain internal recursive bac

CVE-2015-8380 HIGH POC
7.5 Dec 02

The pcre_exec function in pcre_exec.c in PCRE before 8.38 mishandles a // pattern with a \01 string, which allows remote

CVE-2015-8386 CRITICAL
9.8 Dec 02

PCRE before 8.38 mishandles the interaction of lookbehind assertions and mutually recursive subpatterns, which allows re

CVE-2015-8382 MEDIUM POC
6.4 Dec 02

The match function in pcre_exec.c in PCRE before 8.37 mishandles the /(?:((abcd))|(((?:(?:(?:(?:abc|(?:abcdef))))b)abcde

CVE-2015-8390 CRITICAL
9.8 Dec 02

PCRE before 8.38 mishandles the [: and \\ substrings in character classes, which allows remote attackers to cause a deni

CVE-2015-8389 CRITICAL
9.8 Dec 02

PCRE before 8.38 mishandles the /(?:|a|){100}x/ pattern and related patterns, which allows remote attackers to cause a d

CVE-2015-8394 CRITICAL
9.8 Dec 02

PCRE before 8.38 mishandles the (?(<digits>) and (?(R<digits>) conditions, which allows remote attackers to cause a deni

CVE-2015-8385 HIGH
7.5 Dec 02

PCRE before 8.38 mishandles the /(?|(\k'Pm')|(?'Pm'))/ pattern and related patterns with certain forward references, whi

CVE-2015-8392 HIGH
7.5 Dec 02

PCRE before 8.38 mishandles certain instances of the (?| substring, which allows remote attackers to cause a denial of s

CVE-2015-8388 HIGH
7.5 Dec 02

PCRE before 8.38 mishandles the /(?=di(?<=(?1))|(?=(.))))/ pattern and related patterns with an unmatched closing parent

CVE-2015-8395 HIGH
7.5 Dec 02

PCRE before 8.38 mishandles certain references, which allows remote attackers to cause a denial of service or possibly h

Share

CVE-2015-8383 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy