CVE-2015-3217

moderate-risk
Published 2016-12-13

PCRE 7.8 and 8.32 through 8.37, and PCRE2 10.10 mishandle group empty matches, which might allow remote attackers to cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by /^(?:(?(1)\\.|([^\\\\W_])?)+)+$/.

Do I need to act?

-
0.86% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (10)

Pcre
Pcre
Pcre
Pcre
Pcre2
Pcre
Pcre
Pcre

Affected Vendors

Pcre Ibm

References (20)

http://rhn.redhat.com/errata/RHSA-2016-1025.html
http://rhn.redhat.com/errata/RHSA-2016-2750.html
Patch http://vcs.pcre.org/pcre?view=revision&revision=1566
Third Party Advisory http://www-01.ibm.com/support/docview.wss?uid=isg3T1023886
Mailing List http://www.openwall.com/lists/oss-security/2015/06/03/7
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.h...
Third Party Advisory http://www.securityfocus.com/bid/75018
https://access.redhat.com/errata/RHSA-2016:1132
Exploit https://bugs.exim.org/show_bug.cgi?id=1638
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1228283
http://rhn.redhat.com/errata/RHSA-2016-1025.html
http://rhn.redhat.com/errata/RHSA-2016-2750.html
Patch http://vcs.pcre.org/pcre?view=revision&revision=1566
Third Party Advisory http://www-01.ibm.com/support/docview.wss?uid=isg3T1023886
Mailing List http://www.openwall.com/lists/oss-security/2015/06/03/7
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.h...
Third Party Advisory http://www.securityfocus.com/bid/75018
https://access.redhat.com/errata/RHSA-2016:1132
Exploit https://bugs.exim.org/show_bug.cgi?id=1638
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1228283
45
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 3/34 · Minimal
Exposure 16/34 · Moderate