CVE-2015-8866
published 2016-05-22CVE-2015-8866: ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used, does not isolate each thread from libxml_disable_entity_loader changes…
critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used, does not isolate each thread from libxml_disable_entity_loader changes in other threads, which allows remote attackers to conduct XML External Entity (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document, a related issue to CVE-2015-5161.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| opensuse | leap | — | — |
| opensuse | opensuse | — | — |
| php | php | >= 5.5.0 < 5.5.22 | 5.5.22 |
| php | php | >= 5.6.0 < 5.6.6 | 5.6.6 |
| php | php | >= 7.0.0 < 7.0.27 | 7.0.27 |
| php | php | >= 7.1.0 < 7.1.13 | 7.1.13 |
| php | php | >= 7.2.0 < 7.2.1 | 7.2.1 |
| php5 | php5 | >= 0 < 5.5.9+dfsg-1ubuntu4.16 | 5.5.9+dfsg-1ubuntu4.16 |
| suse | linux_enterprise_module_for_web_scripting | — | — |
| suse | linux_enterprise_software_development_kit | — | — |
CVSS provenance
nvdv3.19.6CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
osv6.8MEDIUM