CVE-2015-8853Improper Input Validation in Perl

CWE-20Improper Input ValidationCWE-400Uncontrolled Resource Consumption11 documents8 sources
Severity
7.5HIGHNVD
EPSS
14.0%
top 5.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
PerlDebian PerlFedoraproject Fedora
Timeline
PublishedMay 25
Latest updateMay 14

Description

The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c in Perl before 5.24.0 allow context-dependent attackers to cause a denial of service (infinite loop) via crafted utf-8 data, as demonstrated by "a\x80."

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

debiandebian/perl< perl 5.22.1-1 (bookworm)
Debianperl/perl< 5.22.1-1+3
Ubuntuperl/perl< 5.18.2-2ubuntu1.4+1
NVDperl/perl5.23.9

Also affects: Fedora 22

🔴Vulnerability Details

4
GHSA
GHSA-c4jc-532j-fmvf: The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec2022-05-14
OSV
perl vulnerabilities2018-04-16
CVEList
CVE-2015-8853: The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec2016-05-25
OSV
CVE-2015-8853: The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec2016-05-25

📋Vendor Advisories

4
Ubuntu
Perl vulnerabilities2018-04-17
Ubuntu
Perl vulnerabilities2018-04-16
Red Hat
perl: regexp matching hangs indefinitely on illegal UTF-8 input2015-01-07
Debian
CVE-2015-8853: perl - The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c ...2015

💬Community

2
Bugzilla
CVE-2015-8853 perl: regexp matching hangs indefinitely on illegal UTF-8 input [fedora-22]2016-04-21
Bugzilla
CVE-2015-8853 perl: regexp matching hangs indefinitely on illegal UTF-8 input2016-04-21