← Back

CVE-2015-8866

nvd nist
Published: May 22, 2016Modified: May 6, 2026

JSON object

Loading...
9.6
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Exploitability: 2.8 / Impact: 6.0
Source: NVD

Description

ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used, does not isolate each thread from libxml_disable_entity_loader changes in other threads, which allows remote attackers to conduct XML External Entity (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document, a related issue to CVE-2015-5161.

Affected (13)

Products: Php: Php · Canonical: Ubuntu Linux · Opensuse: Leap, Opensuse · +1 more
Show all products
Php: Php · Canonical: Ubuntu Linux · Opensuse: Leap, Opensuse · Suse: Linux Enterprise Module For Web Scripting, Linux Enterprise Software Development Kit
Php
1 product
Php
Canonical
1 product
Ubuntu Linux
Opensuse
2 products
Leap
Opensuse
Suse
2 products
Linux Enterprise Module For Web Scripting
Linux Enterprise Software Development Kit
Configuration A
5 vulnerable
Vulnerable SoftwareAffected Versions
Php
Php
From 5.5.0 to 5.5.22
Php
From 5.6.0 to 5.6.6
Php
From 7.0.0 to 7.0.27
Php
From 7.1.0 to 7.1.13
Php
From 7.2.0 to 7.2.1
Configuration B
3 vulnerable
Vulnerable SoftwareAffected Versions
Canonical
Ubuntu Linux
Version 12.04
Ubuntu Linux
Version 14.04
Ubuntu Linux
Version 15.10
Configuration C
5 vulnerable
Vulnerable SoftwareAffected Versions
Leap
Version 42.1
Opensuse
Version 13.2
Linux Enterprise Module For Web Scripting
Version 12
Suse
Linux Enterprise Software Development Kit
Version 12
Linux Enterprise Software Development Kit
Version 12 sp1

Related CWEs

CWE-611
Improper Restriction of XML External Entity Reference
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References (24)

Source: cve@mitre.org
Source: cve@mitre.org
Mailing ListThird Party Advisory
Source: cve@mitre.org
Mailing ListThird Party Advisory
Source: cve@mitre.org
Mailing ListThird Party Advisory
Source: cve@mitre.org
Third Party Advisory
Source: cve@mitre.org
Mailing ListPatchThird Party Advisory
Source: cve@mitre.org
Release NotesVendor Advisory
Source: cve@mitre.org
Third Party AdvisoryVDB Entry
Source: cve@mitre.org
Third Party Advisory
Source: cve@mitre.org
Third Party Advisory
Source: cve@mitre.org
Issue TrackingPatchThird Party Advisory
Source: cve@mitre.org
ExploitIssue TrackingPatchVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListPatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Release NotesVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Issue TrackingPatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitIssue TrackingPatchVendor Advisory

Timeline

No history available yet.