CVE-2015-3217

CWE-119 — Buffer Overflow CWE-674 — Uncontrolled Recursion7 documents7 sources

Severity

7.5HIGH

EPSS

0.9%

top 24.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Powerkvm Pcre Pcre Pcre Pcre2

Timeline

PublishedDec 13

Latest updateMay 14

Description

PCRE 7.8 and 8.32 through 8.37, and PCRE2 10.10 mishandle group empty matches, which might allow remote attackers to cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by /^(?:(?(1)\\.|([^\\\\W_])?)+)+$/.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDpcre/pcre210.10

▶Debianpcre3< 2:8.38-1+1

▶NVDpcre/pcre7 versions+6

▶NVDibm/powerkvm2.1, 3.1+1

Patches

Patch: vcs.pcre.org ↗Patch: vcs.pcre.org ↗

🔴Vulnerability Details

GHSA

GHSA-pv36-98fw-pc7h: PCRE 7↗2022-05-14

▶

OSV

CVE-2015-3217: PCRE 7↗2016-12-13

▶

CVEList

CVE-2015-3217: PCRE 7↗2016-12-13

▶

📋Vendor Advisories

Red Hat

pcre: stack overflow caused by mishandled group empty match (8.38/11)↗2015-06-03

▶

Debian

CVE-2015-3217: pcre3 - PCRE 7.8 and 8.32 through 8.37, and PCRE2 10.10 mishandle group empty matches, w...↗2015

▶

💬Community

Bugzilla

CVE-2015-3217 pcre: stack overflow caused by mishandled group empty match (8.38/11)↗2015-06-04

▶