CVE-2015-8866

ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used, does not isolate each thread from libxml_disable_entity_loader changes in other threads, which allows remote attackers to conduct XML External Entity (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document, a related issue to CVE-2015-5161.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
cpe:2.3:a:php:php:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_module_for_web_scripting:12:*:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:-:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:sp1:*:*:*:*:*:*

History

20 Jul 2022, 16:32

Type Values Removed Values Added
CPE cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:sp1:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_module_for_web_scripting:12:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:-:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*
cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
CWE NVD-CWE-Other CWE-611
References (CONFIRM) http://git.php.net/?p=php-src.git;a=commit;h=de31324c221c1791b26350ba106cc26bad23ace9 - Vendor Advisory (CONFIRM) http://git.php.net/?p=php-src.git;a=commit;h=de31324c221c1791b26350ba106cc26bad23ace9 - Broken Link, Vendor Advisory
References (CONFIRM) https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1509817 - Third Party Advisory (CONFIRM) https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1509817 - Issue Tracking, Patch, Third Party Advisory
References (MLIST) http://www.openwall.com/lists/oss-security/2016/04/24/1 - Mailing List, Third Party Advisory (MLIST) http://www.openwall.com/lists/oss-security/2016/04/24/1 - Mailing List, Patch, Third Party Advisory
References (CONFIRM) https://bugs.php.net/bug.php?id=64938 - Vendor Advisory (CONFIRM) https://bugs.php.net/bug.php?id=64938 - Exploit, Issue Tracking, Patch, Vendor Advisory
References (CONFIRM) http://www.php.net/ChangeLog-5.php - Vendor Advisory (CONFIRM) http://www.php.net/ChangeLog-5.php - Release Notes, Vendor Advisory

Information

Published : 2016-05-22 01:59

Updated : 2024-02-04 18:53


NVD link : CVE-2015-8866

Mitre link : CVE-2015-8866

CVE.ORG link : CVE-2015-8866


JSON object : View

Products Affected

suse

  • linux_enterprise_module_for_web_scripting
  • linux_enterprise_software_development_kit

opensuse

  • opensuse
  • leap

canonical

  • ubuntu_linux

php

  • php
CWE
CWE-611

Improper Restriction of XML External Entity Reference