CVE-2015-8386
critical
CVSS v3
9.8
CVSS v2
7.5
VIR risk
9.8
Description
PCRE before 8.38 mishandles the interaction of lookbehind assertions and mutually recursive subpatterns, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
Predictions
Exploit likelihood
97%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2015-8386
Vendor advisory: cve@mitre.org — http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| fedora | 22 | affected | |
| debian | bookworm | fixed | 2:8.38-1 |
| debian | bullseye | fixed | 2:8.38-1 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| pcre | perl_compatible_regular_expression_library | {"endIncluding":"8.37"} | |
| php | php | {"startIncluding":"5.5.0","endExcluding":"5.5.32"} | 5.5.32 |
References
- http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html
- http://rhn.redhat.com/errata/RHSA-2016-1025.html
- http://rhn.redhat.com/errata/RHSA-2016-2750.html
- http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup
- http://www-01.ibm.com/support/docview.wss?uid=isg3T1023886
- http://www.openwall.com/lists/oss-security/2015/11/29/1
- http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
- http://www.securityfocus.com/bid/82990
- https://access.redhat.com/errata/RHSA-2016:1132
- https://bto.bluecoat.com/security-advisory/sa128
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731
- https://security.gentoo.org/glsa/201607-02
- https://security.netapp.com/advisory/ntap-20230216-0002/
- https://security-tracker.debian.org/tracker/CVE-2015-8386
CWEs
CWE-119
Verify integrity in audit chain (admin only). AS-IS.