CVE-2015-2328 — Uncontrolled Recursion in Pcre

CWE-19 CWE-674 — Uncontrolled Recursion9 documents8 sources

Severity

7.5HIGHNVD

EPSS

2.7%

top 14.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pcre Oracle Linux

Timeline

PublishedDec 2

Latest updateMay 13

Description

PCRE before 8.36 mishandles the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages2 packages

▶NVDpcre/pcre8.35

▶NVDoracle/linux7

🔴Vulnerability Details

GHSA

GHSA-4h7h-5fv8-m6hg: PCRE before 8↗2022-05-13

▶

CVEList

CVE-2015-2328: PCRE before 8↗2015-12-02

▶

OSV

CVE-2015-2328: PCRE before 8↗2015-12-02

▶

📋Vendor Advisories

Ubuntu

PCRE vulnerabilities↗2016-03-29

▶

Debian

CVE-2015-2328: pcre3 - PCRE before 8.36 mishandles the /((?(R)a|(?1)))+/ pattern and related patterns w...↗2015

▶

Red Hat

pcre: infinite recursion compiling pattern with recursive reference in a group with indefinite repeat (8.36/20)↗2014-08-07

▶

💬Community

Bugzilla

CVE-2015-2328 pcre: infinite recursion compiling pattern with recursive reference in a group with indefinite repeat (8.36/20)↗2015-11-25

▶

Bugzilla

CVE-2015-3155 foreman: the _session_id cookie is issued without the Secure flag↗2015-04-28

▶