CVE-2007-1661 — Perl-compatible Regular Expression Library vulnerability

9 documents8 sources

Severity

6.4MEDIUMNVD

EPSS

2.0%

top 16.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Glib2.0 Debian Pcre3 Pcre Perl-compatible Regular Expression Library +2 more

Timeline

PublishedNov 7

Latest updateMay 1

Description

Perl-Compatible Regular Expression (PCRE) library before 7.3 backtracks too far when matching certain input bytes against some regex patterns in non-UTF-8 mode, which allows context-dependent attackers to obtain sensitive information or cause a denial of service (crash), as demonstrated by the "\X?\d" and "\P{L}?\d" patterns.

CVSS vector

AV:N/AC:L/C:P/I:N/A:PExploitability: 10.0 | Impact: 4.9

Affected Packages5 packages

▶NVDpcre/perl-compatible_regular_expression_library7.2+2

▶debiandebian/pcre3< glib2.0 2.14.3-1 (bookworm)

▶debiandebian/glib2.0< glib2.0 2.14.3-1 (bookworm)

▶NVDapple/mac_os_x10.4.11

▶NVDapple/mac_os_x_server10.4.11

Patches

Patch: www.debian.org ↗Patch: www.debian.org ↗

🔴Vulnerability Details

GHSA

GHSA-759q-4q8w-5gfh: Perl-Compatible Regular Expression (PCRE) library before 7↗2022-05-01

▶

OSV

CVE-2007-1661: Perl-Compatible Regular Expression (PCRE) library before 7↗2007-11-07

▶

💥Exploits & PoCs

Exploit-DB

HP StorageWorks - NSI Double Take Remote Overflow (Metasploit)↗2008-06-04

▶

📋Vendor Advisories

Ubuntu

PCRE vulnerabilities↗2007-11-27

▶

Red Hat

: pcre < 7.3 non-UTF-8 over-backtracking issue↗2007-11-05

▶

Debian

CVE-2007-1661: glib2.0 - Perl-Compatible Regular Expression (PCRE) library before 7.3 backtracks too far ...↗2007

▶

💬Community

Bugzilla

CVE-2007-1661: pcre < 7.3 non-UTF-8 over-backtracking issue↗2007-11-20

▶

Bugzilla

Multiple PCRE flaws↗2007-09-26

▶