CVE-2015-2326

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The pcre_compile2 function in PCRE before 8.37 allows context-dependent attackers to compile incorrect code and cause a denial of service (out-of-bounds read) via regular expression with a group containing both a forward referencing subroutine call and a recursive back reference, as demonstrated by "((?+1)(\1))/".

References

http://lists.opensuse.org/opensuse-updates/2015-05/msg00014.html

https://bugs.exim.org/show_bug.cgi?id=1592

https://fortiguard.com/zeroday/FG-VD-15-016

https://www.pcre.org/original/changelog.txt

Details

Source: MITRE

Published: 2020-01-14

Updated: 2020-01-24

Type: CWE-125

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3

Base Score: 5.5

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Impact Score: 3.6

Exploitability Score: 1.8

Severity: MEDIUM

Tenable Plugins

View all (22 total)

IDNameProductFamilySeverity
98802PHP 5.6.x < 5.6.10 Multiple VulnerabilitiesWeb Application ScanningComponent Vulnerability
critical
106495pfSense < 2.2.3 Multiple Vulnerabilities (SA-15_07) (Logjam)NessusFirewalls
critical
90306Ubuntu 12.04 LTS / 14.04 LTS / 15.10 : pcre3 vulnerabilities (USN-2943-1)NessusUbuntu Local Security Checks
critical
85566Tenable SecurityCenter Multiple PHP Vulnerabilities (TNS-2015-06)NessusMisc.
critical
85122Ubuntu 12.04 LTS / 14.04 LTS / 15.04 : pcre3 vulnerabilities (USN-2694-1)NessusUbuntu Local Security Checks
critical
84913SUSE SLED12 / SLES12 Security Update : mariadb (SUSE-SU-2015:1273-1) (BACKRONYM)NessusSuSE Local Security Checks
high
84830Slackware 14.0 / 14.1 / current : php (SSA:2015-198-02) (BACKRONYM)NessusSlackware Local Security Checks
critical
84658openSUSE Security Update : MariaDB (openSUSE-2015-479) (BACKRONYM) (Logjam)NessusSuSE Local Security Checks
high
84625Amazon Linux AMI : php56 (ALAS-2015-563)NessusAmazon Linux Local Security Checks
critical
84624Amazon Linux AMI : php55 (ALAS-2015-562)NessusAmazon Linux Local Security Checks
critical
84364PHP 5.6.x < 5.6.10 Multiple VulnerabilitiesNessusCGI abuses
critical
84363PHP 5.5.x < 5.5.26 Multiple VulnerabilitiesNessusCGI abuses
critical
84362PHP 5.4.x < 5.4.42 Multiple VulnerabilitiesNessusCGI abuses
critical
8787PHP 5.5.x < 5.5.26 / 5.6.x < 5.6.10 Multiple VulnerabilitiesNessus Network MonitorWeb Servers
medium
8786PHP 5.6.x < 5.6.9 Multiple VulnerabilitiesNessus Network MonitorWeb Servers
high
84127Slackware 14.0 / 14.1 / current : php (SSA:2015-162-02)NessusSlackware Local Security Checks
high
83975Amazon Linux AMI : php56 (ALAS-2015-536)NessusAmazon Linux Local Security Checks
high
83973Amazon Linux AMI : php54 (ALAS-2015-534)NessusAmazon Linux Local Security Checks
high
83795FreeBSD : pcre -- multiple vulnerabilities (4a88e3ed-00d3-11e5-a072-d050996490d0)NessusFreeBSD Local Security Checks
high
83519PHP 5.6.x < 5.6.9 Multiple VulnerabilitiesNessusCGI abuses
critical
83517PHP 5.4.x < 5.4.41 Multiple VulnerabilitiesNessusCGI abuses
critical
83392openSUSE Security Update : pcre (openSUSE-2015-353)NessusSuSE Local Security Checks
high