CVE-2017-8399 - Vulnerability Details - OpenCVE

PCRE2 before 10.30 has an out-of-bounds write caused by a stack-based buffer overflow in pcre2_match.c, related to a "pattern with very many captures."

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.02737.

Key SSVC decision points have not yet been added.

Vendors	Products
Pcre Subscribe	Pcre2 Subscribe

Configuration 1 [-]

cpe:2.3:a:pcre:pcre2:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2017-17351	PCRE2 before 10.30 has an out-of-bounds write caused by a stack-based buffer overflow in pcre2_match.c, related to a "pattern with very many captures."

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://www.securityfocus.com/bid/98315
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=783
https://nvd.nist.gov/vuln/detail/CVE-2017-8399
https://security.gentoo.org/glsa/201710-09
https://vcs.pcre.org/pcre2/code/tags/pcre2-10.30/ChangeLog?revision=854&view=markup
https://vcs.pcre.org/pcre2?view=revision&revision=674
https://www.cve.org/CVERecord?id=CVE-2017-8399

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2017-05-01T18:00:00

Updated: 2024-08-05T16:34:23.032Z

Reserved: 2017-05-01T00:00:00

Link: CVE-2017-8399

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2017-05-01T18:59:00.403

Modified: 2025-04-20T01:37:25.860

Link: CVE-2017-8399

Redhat

Severity : Moderate

Publid Date: 2017-03-10T00:00:00Z

Links: CVE-2017-8399 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-05-01T00:00:00", "descriptions": [{"lang": "en", "value": "PCRE2 before 10.30 has an out-of-bounds write caused by a stack-based buffer overflow in pcre2_match.c, related to a \"pattern with very many captures.\""}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-08-28T16:57:02", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "GLSA-201710-09", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201710-09"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://vcs.pcre.org/pcre2/code/tags/pcre2-10.30/ChangeLog?revision=854&view=markup"}, {"tags": ["x_refsource_MISC"], "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=783"}, {"tags": ["x_refsource_MISC"], "url": "https://vcs.pcre.org/pcre2?view=revision&revision=674"}, {"name": "98315", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/98315"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-8399", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "PCRE2 before 10.30 has an out-of-bounds write caused by a stack-based buffer overflow in pcre2_match.c, related to a \"pattern with very many captures.\""}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "GLSA-201710-09", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201710-09"}, {"name": "https://vcs.pcre.org/pcre2/code/tags/pcre2-10.30/ChangeLog?revision=854&view=markup", "refsource": "CONFIRM", "url": "https://vcs.pcre.org/pcre2/code/tags/pcre2-10.30/ChangeLog?revision=854&view=markup"}, {"name": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=783", "refsource": "MISC", "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=783"}, {"name": "https://vcs.pcre.org/pcre2?view=revision&revision=674", "refsource": "MISC", "url": "https://vcs.pcre.org/pcre2?view=revision&revision=674"}, {"name": "98315", "refsource": "BID", "url": "http://www.securityfocus.com/bid/98315"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T16:34:23.032Z"}, "title": "CVE Program Container", "references": [{"name": "GLSA-201710-09", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201710-09"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://vcs.pcre.org/pcre2/code/tags/pcre2-10.30/ChangeLog?revision=854&view=markup"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=783"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://vcs.pcre.org/pcre2?view=revision&revision=674"}, {"name": "98315", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/98315"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-8399", "datePublished": "2017-05-01T18:00:00", "dateReserved": "2017-05-01T00:00:00", "dateUpdated": "2024-08-05T16:34:23.032Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pcre:pcre2:*:*:*:*:*:*:*:*", "matchCriteriaId": "66F1DE98-34B3-4DFB-BFE5-5581C3B2B12F", "versionEndExcluding": "10.30", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "PCRE2 before 10.30 has an out-of-bounds write caused by a stack-based buffer overflow in pcre2_match.c, related to a \"pattern with very many captures.\""}, {"lang": "es", "value": "PCRE2 en versiones anteriores a la 10.30 tiene una escritura fuera de l\u00edmites provocada por un desbordamiento de b\u00fafer basado en pila en pcre2_match.c. Esto est\u00e1 relacionado con un \"pattern with very many captures\"."}], "id": "CVE-2017-8399", "lastModified": "2025-04-20T01:37:25.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-05-01T18:59:00.403", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/98315"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=783"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/201710-09"}, {"source": "cve@mitre.org", "url": "https://vcs.pcre.org/pcre2/code/tags/pcre2-10.30/ChangeLog?revision=854&view=markup"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://vcs.pcre.org/pcre2?view=revision&revision=674"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/98315"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=783"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/201710-09"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://vcs.pcre.org/pcre2/code/tags/pcre2-10.30/ChangeLog?revision=854&view=markup"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://vcs.pcre.org/pcre2?view=revision&revision=674"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "pcre2: Stack-based buffer overflow in pcre2_match.c", "id": "1449629", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1449629"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-121", "details": ["PCRE2 before 10.30 has an out-of-bounds write caused by a stack-based buffer overflow in pcre2_match.c, related to a \"pattern with very many captures.\""], "name": "CVE-2017-8399", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "pcre", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "glib2", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "pcre", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "glib2", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "pcre", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "pcre2", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "virtuoso-opensource", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Not affected", "package_name": "httpd", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:2", "fix_state": "Not affected", "package_name": "httpd", "product_name": "Red Hat JBoss Enterprise Web Server 2"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3", "fix_state": "Not affected", "package_name": "pcre", "product_name": "Red Hat JBoss Web Server 3"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:2", "fix_state": "Not affected", "package_name": "rh-mariadb100-mariadb", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:2", "fix_state": "Not affected", "package_name": "rh-mariadb101-mariadb", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:2", "fix_state": "Not affected", "package_name": "rh-php56-php", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:2", "fix_state": "Not affected", "package_name": "rh-php70-php", "product_name": "Red Hat Software Collections"}], "public_date": "2017-03-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2017-8399\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-8399"], "threat_severity": "Moderate"}