CVE-2015-2325

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The compile_branch function in PCRE before 8.37 allows context-dependent attackers to compile incorrect code, cause a denial of service (out-of-bounds heap read and crash), or possibly have other unspecified impact via a regular expression with a group containing a forward reference repeated a large number of times within a repeated outer group that has a zero minimum quantifier.

References

http://lists.opensuse.org/opensuse-updates/2015-05/msg00014.html

https://bugs.exim.org/show_bug.cgi?id=1591

https://fortiguard.com/zeroday/FG-VD-15-015

https://www.pcre.org/original/changelog.txt

Details

Source: MITRE

Published: 2020-01-14

Updated: 2020-01-24

Type: CWE-125

Risk Information

CVSS v2

Base Score: 6.8

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3

Base Score: 7.8

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 1.8

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:pcre:pcre:*:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*

cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*

Tenable Plugins

View all (26 total)

IDNameProductFamilySeverity
98802PHP 5.6.x < 5.6.10 Multiple VulnerabilitiesWeb Application ScanningComponent Vulnerability
critical
106495pfSense < 2.2.3 Multiple Vulnerabilities (SA-15_07) (Logjam)NessusFirewalls
critical
95915SUSE SLED12 / SLES12 Security Update : pcre (SUSE-SU-2016:3161-1)NessusSuSE Local Security Checks
critical
95754openSUSE Security Update : pcre (openSUSE-2016-1448)NessusSuSE Local Security Checks
critical
95534SUSE SLED12 / SLES12 Security Update : pcre (SUSE-SU-2016:2971-1)NessusSuSE Local Security Checks
critical
91579F5 Networks BIG-IP : PCRE library vulnerability (K16983)NessusF5 Networks Local Security Checks
high
90306Ubuntu 12.04 LTS / 14.04 LTS / 15.10 : pcre3 vulnerabilities (USN-2943-1)NessusUbuntu Local Security Checks
critical
85566Tenable SecurityCenter Multiple PHP Vulnerabilities (TNS-2015-06)NessusMisc.
critical
85122Ubuntu 12.04 LTS / 14.04 LTS / 15.04 : pcre3 vulnerabilities (USN-2694-1)NessusUbuntu Local Security Checks
critical
84913SUSE SLED12 / SLES12 Security Update : mariadb (SUSE-SU-2015:1273-1) (BACKRONYM)NessusSuSE Local Security Checks
high
84830Slackware 14.0 / 14.1 / current : php (SSA:2015-198-02) (BACKRONYM)NessusSlackware Local Security Checks
critical
84658openSUSE Security Update : MariaDB (openSUSE-2015-479) (BACKRONYM) (Logjam)NessusSuSE Local Security Checks
high
84625Amazon Linux AMI : php56 (ALAS-2015-563)NessusAmazon Linux Local Security Checks
critical
84624Amazon Linux AMI : php55 (ALAS-2015-562)NessusAmazon Linux Local Security Checks
critical
84364PHP 5.6.x < 5.6.10 Multiple VulnerabilitiesNessusCGI abuses
critical
84363PHP 5.5.x < 5.5.26 Multiple VulnerabilitiesNessusCGI abuses
critical
84362PHP 5.4.x < 5.4.42 Multiple VulnerabilitiesNessusCGI abuses
critical
8787PHP 5.5.x < 5.5.26 / 5.6.x < 5.6.10 Multiple VulnerabilitiesNessus Network MonitorWeb Servers
medium
8786PHP 5.6.x < 5.6.9 Multiple VulnerabilitiesNessus Network MonitorWeb Servers
high
84127Slackware 14.0 / 14.1 / current : php (SSA:2015-162-02)NessusSlackware Local Security Checks
high
83975Amazon Linux AMI : php56 (ALAS-2015-536)NessusAmazon Linux Local Security Checks
high
83973Amazon Linux AMI : php54 (ALAS-2015-534)NessusAmazon Linux Local Security Checks
high
83795FreeBSD : pcre -- multiple vulnerabilities (4a88e3ed-00d3-11e5-a072-d050996490d0)NessusFreeBSD Local Security Checks
high
83519PHP 5.6.x < 5.6.9 Multiple VulnerabilitiesNessusCGI abuses
critical
83517PHP 5.4.x < 5.4.41 Multiple VulnerabilitiesNessusCGI abuses
critical
83392openSUSE Security Update : pcre (openSUSE-2015-353)NessusSuSE Local Security Checks
high