Out-of-bounds Read

Affecting pcre3 package, versions <2:8.35-7.2

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

The pcre_compile2 function in PCRE before 8.37 allows context-dependent attackers to compile incorrect code and cause a denial of service (out-of-bounds read) via regular expression with a group containing both a forward referencing subroutine call and a recursive back reference, as demonstrated by "((?+1)(\1))/".

References

CVSS Score

5.5
medium severity
  • Attack Vector
    Local
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    None
  • Availability
    High
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CVE
CVE-2015-2326
CWE
CWE-125
Snyk ID
SNYK-DEBIAN9-PCRE3-345297
Disclosed
14 Jan, 2020
Published
27 Jun, 2018