CVE-2015-8978

In Soap Lite (aka the SOAP::Lite extension for Perl) 1.14 and earlier, an example attack consists of defining 10 or more XML entities, each defined as consisting of 10 of the previous entity, with the document consisting of a single instance of the largest entity, which expands to one billion copies of the first entity. The amount of computer memory used for handling an external SOAP call would likely exceed that available to the process parsing the XML.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 68%
VendorProductVersion
soap\\
𝑥
≤ 1.14
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libsoap-lite-perl
bullseye
1.27-1
fixed
jessie
no-dsa
sid
1.27-3
fixed
trixie
1.27-3
fixed
bookworm
1.27-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libsoap-lite-perl
disco
not-affected
cosmic
not-affected
bionic
not-affected
artful
not-affected
zesty
not-affected
yakkety
not-affected
xenial
not-affected
trusty
dne
precise
Fixed 0.714-1+deb7u1build0.12.04.1
released
Common Weakness Enumeration
References
http://cpansearch.perl.org/src/PHRED/SOAP-Lite-1.20/Changes
http://www.securityfocus.com/bid/94487
http://cpansearch.perl.org/src/PHRED/SOAP-Lite-1.20/Changes
http://www.securityfocus.com/bid/94487