CVE-2015-8382Improper Restriction of Operations within the Bounds of a Memory Buffer in Perl Compatible Regular Expression Library

CWE-119Improper Restriction of Operations within the Bounds of a Memory BufferCWE-665Improper Initialization8 documents8 sources
Severity
6.4MEDIUMNVD
EPSS
1.8%
top 17.31%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Pcre Perl Compatible Regular Expression Library
Timeline
PublishedDec 2
Latest updateMay 17

Description

The match function in pcre_exec.c in PCRE before 8.37 mishandles the /(?:((abcd))|(((?:(?:(?:(?:abc|(?:abcdef))))b)abcdefghi)abc)|((*ACCEPT)))/ pattern and related patterns involving (*ACCEPT), which allows remote attackers to obtain sensitive information from process memory or cause a denial of service (partially initialized memory and application crash) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-2547.

CVSS vector

AV:N/AC:L/C:P/I:N/A:PExploitability: 10.0 | Impact: 4.9

Affected Packages1 packages

🔴Vulnerability Details

3
GHSA
GHSA-h7q3-3hf3-hv3q: The match function in pcre_exec2022-05-17
CVEList
CVE-2015-8382: The match function in pcre_exec2015-12-02
OSV
CVE-2015-8382: The match function in pcre_exec2015-12-02

📋Vendor Advisories

3
Ubuntu
PCRE vulnerabilities2016-03-29
Red Hat
php: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)2015-02-03
Debian
CVE-2015-8382: pcre3 - The match function in pcre_exec.c in PCRE before 8.37 mishandles the /(?:((abcd)...2015

💬Community

1
Bugzilla
CVE-2015-8382 php: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)2015-01-29
CVE-2015-8382 — MEDIUM severity | cvebase