CVE-2015-8394

Summary

CVE	CVE-2015-8394
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2015-12-02 01:59:00 UTC
Updated	2023-02-16 14:15:00 UTC
Description	PCRE before 8.38 mishandles the (?(<digits>) and (?(R<digits>) conditions, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

Risk And Classification

Problem Types: CWE-190

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Pcre	Perl Compatible Regular Expression Library	All	All	All	All
Application	Php	Php	All	All	All	All

References

Reference	Source	Link	Tags
December 2015 PCRE Vulnerabilities in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
ViewVC Exception	CONFIRM	vcs.pcre.org
Broadcom Support Portal	CONFIRM	bto.bluecoat.com
[SECURITY] Fedora 22 Update: pcre-8.38-1.fc22	FEDORA	lists.fedoraproject.org
Document Display \| HPE Support Center	CONFIRM	h20566.www2.hpe.com
PCRE Multiple Security Vulnerabilities	BID	www.securityfocus.com
libpcre: Multiple Vulnerabilities (GLSA 201607-02) — Gentoo security	GENTOO	security.gentoo.org
oss-security - Re: Heap Overflow in PCRE	MLIST	www.openwall.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

20390 IBM DB2 Multiple Vulnerabilities (7087225)
355521 Amazon Linux Security Advisory for pcre : AL2012-2023-420
355677 Amazon Linux Security Advisory for glib2 : AL2012-2023-425