QwikSec

Security Database

CVE

CWE

Training

CVE-2015-8381

Published: Dec 2, 2015

Modified: Aug 6, 2024

PUBLISHED

Description

The compile_regex function in pcre_compile.c in PCRE before 8.38 and pcre2_compile.c in PCRE2 before 10.2x mishandles the /(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R'))))/ and /(?J:(?|(:(?|(?'R')(\z(?|(?'R')(\k'R')|((?'R')))k'R')|((?'R')))H'Ak'Rf)|s(?'R')))/ patterns, and related patterns with certain group references, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

[oss-security] 20151128 Re: Heap Overflow in PCRE

mailing-list

x_refsource_MLIST

vendor-advisory

x_refsource_REDHAT

vendor-advisory

x_refsource_REDHAT

vdb-entry

x_refsource_BID

https://bugs.exim.org/show_bug.cgi?id=1667

x_refsource_CONFIRM

https://bugs.exim.org/show_bug.cgi?id=1672

x_refsource_CONFIRM

https://bto.bluecoat.com/security-advisory/sa128

x_refsource_CONFIRM

http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup

x_refsource_CONFIRM

vendor-advisory

x_refsource_GENTOO

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.