ID CVE-2005-2491
Summary Integer overflow in pcre_compile.c in Perl Compatible Regular Expressions (PCRE) before 6.2, as used in multiple products such as Python, Ethereal, and PHP, allows attackers to execute arbitrary code via quantifier values in regular expressions, which leads to a heap-based buffer overflow.
References
Vulnerable Configurations
  • cpe:2.3:a:pcre:pcre:5.0:*:*:*:*:*:*:*
    cpe:2.3:a:pcre:pcre:5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:pcre:pcre:6.0:*:*:*:*:*:*:*
    cpe:2.3:a:pcre:pcre:6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:pcre:pcre:6.1:*:*:*:*:*:*:*
    cpe:2.3:a:pcre:pcre:6.1:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 19-10-2018 - 15:33)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
oval via4
  • accepted 2013-04-29T04:14:32.292-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 3
      oval oval:org.mitre.oval:def:11782
    • comment CentOS Linux 3.x
      oval oval:org.mitre.oval:def:16651
    • comment The operating system installed on the system is Red Hat Enterprise Linux 4
      oval oval:org.mitre.oval:def:11831
    • comment CentOS Linux 4.x
      oval oval:org.mitre.oval:def:16636
    • comment Oracle Linux 4.x
      oval oval:org.mitre.oval:def:15990
    description Integer overflow in pcre_compile.c in Perl Compatible Regular Expressions (PCRE) before 6.2, as used in multiple products such as Python, Ethereal, and PHP, allows attackers to execute arbitrary code via quantifier values in regular expressions, which leads to a heap-based buffer overflow.
    family unix
    id oval:org.mitre.oval:def:11516
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title Integer overflow in pcre_compile.c in Perl Compatible Regular Expressions (PCRE) before 6.2, as used in multiple products such as Python, Ethereal, and PHP, allows attackers to execute arbitrary code via quantifier values in regular expressions, which leads to a heap-based buffer overflow.
    version 25
  • accepted 2007-10-02T08:08:09.337-04:00
    class vulnerability
    contributors
    • name Robert L. Hollis
      organization ThreatGuard, Inc.
    • name Todd Dolinsky
      organization Opsware, Inc.
    description Integer overflow in pcre_compile.c in Perl Compatible Regular Expressions (PCRE) before 6.2, as used in multiple products such as Python, Ethereal, and PHP, allows attackers to execute arbitrary code via quantifier values in regular expressions, which leads to a heap-based buffer overflow.
    family unix
    id oval:org.mitre.oval:def:1496
    status accepted
    submitted 2006-03-18T07:24:00.000-04:00
    title Webproxy Integer Overflow in pcre_compile
    version 32
  • accepted 2007-10-02T08:08:10.207-04:00
    class vulnerability
    contributors
    • name Robert L. Hollis
      organization ThreatGuard, Inc.
    • name Todd Dolinsky
      organization Opsware, Inc.
    description Integer overflow in pcre_compile.c in Perl Compatible Regular Expressions (PCRE) before 6.2, as used in multiple products such as Python, Ethereal, and PHP, allows attackers to execute arbitrary code via quantifier values in regular expressions, which leads to a heap-based buffer overflow.
    family unix
    id oval:org.mitre.oval:def:1659
    status accepted
    submitted 2006-03-18T07:24:00.000-04:00
    title VirusVault Integer Overflow in pcre_compile
    version 32
  • accepted 2006-01-25T07:30:00.000-04:00
    class vulnerability
    contributors
    name Robert L. Hollis
    organization ThreatGuard, Inc.
    description Integer overflow in pcre_compile.c in Perl Compatible Regular Expressions (PCRE) before 6.2, as used in multiple products such as Python, Ethereal, and PHP, allows attackers to execute arbitrary code via quantifier values in regular expressions, which leads to a heap-based buffer overflow.
    family unix
    id oval:org.mitre.oval:def:735
    status accepted
    submitted 2005-11-30T12:00:00.000-04:00
    title Apache Integer Overflow in pcre_compile.c
    version 31
redhat via4
advisories
  • bugzilla
    id 166335
    title CVE-2005-2491 PCRE heap overflow
    oval
    OR
    • AND
      comment Red Hat Enterprise Linux 3 is installed
      oval oval:com.redhat.rhba:tst:20070026001
    • AND
      comment Red Hat Enterprise Linux 4 is installed
      oval oval:com.redhat.rhba:tst:20070304001
    rhsa
    id RHSA-2006:0197
    released 2006-03-09
    severity Moderate
    title RHSA-2006:0197: python security update (Moderate)
  • rhsa
    id RHSA-2005:358
  • rhsa
    id RHSA-2005:761
refmap via4
apple APPLE-SA-2005-11-29
bid
  • 14620
  • 15647
confirm
debian
  • DSA-800
  • DSA-817
  • DSA-819
  • DSA-821
fedora FLSA:168516
gentoo
  • GLSA-200508-17
  • GLSA-200509-02
  • GLSA-200509-08
  • GLSA-200509-12
  • GLSA-200509-19
hp
  • HPSBMA02159
  • HPSBOV02683
  • HPSBUX02074
  • SSRT051251
  • SSRT061238
  • SSRT090208
openpkg OpenPKG-SA-2005.018
sco SCOSA-2006.10
sectrack 1014744
secunia
  • 16502
  • 16679
  • 17252
  • 17813
  • 19072
  • 19193
  • 19532
  • 21522
  • 22691
  • 22875
sgi 20060401-01-U
sreason 604
sunalert 102198
suse
  • SUSE-SA:2005:048
  • SUSE-SA:2005:049
  • SUSE-SA:2005:051
  • SUSE-SA:2005:052
trustix TSLSA-2005-0059
vupen
  • ADV-2005-1511
  • ADV-2005-2659
  • ADV-2006-0789
  • ADV-2006-4320
  • ADV-2006-4502
statements via4
contributor Mark J Cox
lastmodified 2008-07-02
organization Apache
statement Fixed in Apache 2.0.55: http://httpd.apache.org/security/vulnerabilities_20.html
Last major update 19-10-2018 - 15:33
Published 23-08-2005 - 04:00
Back to Top