CVE-2015-8978

EUVD-2015-8832

22.11.2016, 17:59

In Soap Lite (aka the SOAP::Lite extension for Perl) 1.14 and earlier, an example attack consists of defining 10 or more XML entities, each defined as consisting of 10 of the previous entity, with the document consisting of a single instance of the largest entity, which expands to one billion copies of the first entity. The amount of computer memory used for handling an external SOAP call would likely exceed that available to the process parsing the XML.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 71%

Affected Products (NVD)

Vendor	Product	Version
soap\	\	𝑥 ≤ 1.14

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

libsoap-lite-perl

bookworm	1.27-3 fixed
bullseye	1.27-1 fixed
jessie	no-dsa
sid	1.27-3 fixed
trixie	1.27-3 fixed

Ubuntu Releases

Ubuntu Product

Codename

libsoap-lite-perl

artful	not-affected
bionic	not-affected
cosmic	not-affected
disco	not-affected
precise	Fixed 0.714-1+deb7u1build0.12.04.1 released
trusty	dne
xenial	not-affected
yakkety	not-affected
zesty	not-affected

Common Weakness Enumeration

CWE-399 -

References

http://cpansearch.perl.org/src/PHRED/SOAP-Lite-1.20/Changes

http://www.securityfocus.com/bid/94487

http://cpansearch.perl.org/src/PHRED/SOAP-Lite-1.20/Changes

http://www.securityfocus.com/bid/94487