CVE-2015-3210Out-of-bounds Write in Pcre

CWE-787Out-of-bounds WriteCWE-122Heap-based Buffer OverflowCWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer11 documents8 sources
Severity
9.8CRITICALNVD
EPSS
5.7%
top 9.54%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
PcrePcre Pcre2
Timeline
PublishedDec 13
Latest updateMay 14

Description

Heap-based buffer overflow in PCRE 8.34 through 8.37 and PCRE2 10.10 allows remote attackers to execute arbitrary code via a crafted regular expression, as demonstrated by /^(?P=B)((?P=B)(?J:(?Pc)(?Pa(?P=B)))>WGXCREDITS)/, a different vulnerability than CVE-2015-8384.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

NVDpcre/pcre210.10
NVDpcre/pcre4 versions+3

🔴Vulnerability Details

3
GHSA
GHSA-rw29-r7x7-2gmq: Heap-based buffer overflow in PCRE 82022-05-14
OSV
CVE-2015-3210: Heap-based buffer overflow in PCRE 82016-12-13
CVEList
CVE-2015-3210: Heap-based buffer overflow in PCRE 82016-12-13

📋Vendor Advisories

4
Ubuntu
PCRE vulnerabilities2016-03-29
Red Hat
pcre: buffer overflow caused by recursive back reference by name within certain group (8.38/4)2015-11-23
Ubuntu
PCRE vulnerabilities2015-07-29
Debian
CVE-2015-3210: pcre3 - Heap-based buffer overflow in PCRE 8.34 through 8.37 and PCRE2 10.10 allows remo...2015

💬Community

3
Bugzilla
CVE-2015-3210 CVE-2015-8384 pcre: buffer overflow caused by recursive back reference by name within certain group (8.38/4)2015-12-02
Bugzilla
CVE-2015-3210 pcre: heap buffer overflow in pcre_compile2() / compile_regex() [fedora-all]2015-06-29
Bugzilla
CVE-2015-3210 mingw-pcre: pcre: heap buffer overflow in pcre_compile2() / compile_regex() [fedora-all]2015-06-29
CVE-2015-3210 — Out-of-bounds Write in Pcre | cvebase