CVE-2015-8383 : PCRE before 8.38 mishandles certain repeated conditional groups, which allows remote attackers to cause a denial of serv

PCRE before 8.38 mishandles certain repeated conditional groups, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

Published 2015-12-02 01:59:07

Updated 2023-02-16 14:15:13

Source MITRE

View at NVD, CVE.org

Vulnerability category: OverflowDenial of service

Threat overview for CVE-2015-8383

Top countries where our scanners detected CVE-2015-8383

Top open port discovered on systems with this issue 80

IPs affected by CVE-2015-8383 62,938

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2015-8383!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2015-8383

Probability of exploitation activity in the next 30 days: 4.99%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 92 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2015-8383

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2015-8383

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2015-8383

http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html

[SECURITY] Fedora 22 Update: pcre-8.38-1.fc22
Third Party Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20230216-0002/

December 2015 PCRE Vulnerabilities in NetApp Products | NetApp Product Security

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2016:1132

RHSA-2016:1132 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup

ViewVC Exception
Broken Link;Release Notes

CVEs referencing this url
https://security.gentoo.org/glsa/201607-02

libpcre: Multiple Vulnerabilities (GLSA 201607-02) — Gentoo security
Third Party Advisory

CVEs referencing this url
https://bto.bluecoat.com/security-advisory/sa128

SA128 : Multiple PCRE Vulnerabilities
Third Party Advisory

CVEs referencing this url
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731

HPSBNS03635 rev.1 - HPE NonStop Servers OSS Script Languages running Perl and PHP, Multiple Local and Remote Vulnerabilities
Third Party Advisory

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2016-2750.html

RHSA-2016:2750 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2015/11/29/1

oss-security - Re: Heap Overflow in PCRE
Mailing List;Third Party Advisory

CVEs referencing this url

Products affected by CVE-2015-8383