{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-11-22T00:00:00", "descriptions": [{"lang": "en", "value": "In Soap Lite (aka the SOAP::Lite extension for Perl) 1.14 and earlier, an example attack consists of defining 10 or more XML entities, each defined as consisting of 10 of the previous entity, with the document consisting of a single instance of the largest entity, which expands to one billion copies of the first entity. The amount of computer memory used for handling an external SOAP call would likely exceed that available to the process parsing the XML."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-11-25T19:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "94487", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/94487"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://cpansearch.perl.org/src/PHRED/SOAP-Lite-1.20/Changes"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-8978", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Soap Lite (aka the SOAP::Lite extension for Perl) 1.14 and earlier, an example attack consists of defining 10 or more XML entities, each defined as consisting of 10 of the previous entity, with the document consisting of a single instance of the largest entity, which expands to one billion copies of the first entity. The amount of computer memory used for handling an external SOAP call would likely exceed that available to the process parsing the XML."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "94487", "refsource": "BID", "url": "http://www.securityfocus.com/bid/94487"}, {"name": "http://cpansearch.perl.org/src/PHRED/SOAP-Lite-1.20/Changes", "refsource": "CONFIRM", "url": "http://cpansearch.perl.org/src/PHRED/SOAP-Lite-1.20/Changes"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T08:36:30.737Z"}, "title": "CVE Program Container", "references": [{"name": "94487", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/94487"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://cpansearch.perl.org/src/PHRED/SOAP-Lite-1.20/Changes"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-8978", "datePublished": "2016-11-22T17:00:00", "dateReserved": "2016-11-22T00:00:00", "dateUpdated": "2024-08-06T08:36:30.737Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:soap\\:\\:lite_project:soap\\:\\:lite:*:*:*:*:*:perl:*:*", "matchCriteriaId": "FB4DACB9-2E9E-4CBE-825F-FC0303D8CC86", "versionEndIncluding": "1.14", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Soap Lite (aka the SOAP::Lite extension for Perl) 1.14 and earlier, an example attack consists of defining 10 or more XML entities, each defined as consisting of 10 of the previous entity, with the document consisting of a single instance of the largest entity, which expands to one billion copies of the first entity. The amount of computer memory used for handling an external SOAP call would likely exceed that available to the process parsing the XML."}, {"lang": "es", "value": "En Soap Lite (tambi\u00e9n conocido como la extensi\u00f3n SOAP::Lite para Perl) 1.14 y versiones anteriores, un ejemplo de ataque consiste en definir 10 o m\u00e1s entidades XML, cada una definida como consistente de 10 de la entidad anterior, con el documento consistente de una \u00fanica instancia de la entidad m\u00e1s grande, que se expande a mil millones de copias de la primera entidad. La suma de la memoria del ordenador utilizada para manejar una llamada SOAP externa probablemente superar\u00eda el disponible para el proceso de an\u00e1lisis del XML."}], "id": "CVE-2015-8978", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-11-22T17:59:00.180", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://cpansearch.perl.org/src/PHRED/SOAP-Lite-1.20/Changes"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/94487"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://cpansearch.perl.org/src/PHRED/SOAP-Lite-1.20/Changes"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/94487"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-399"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "perl-SOAP-Lite: XML exponential entity expansion denial-of-service", "id": "1397731", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1397731"}, "csaw": false, "cvss": {"cvss_base_score": "4.3", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "draft"}, "cvss3": {"cvss3_base_score": "3.3", "cvss3_scoring_vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-400", "details": ["In Soap Lite (aka the SOAP::Lite extension for Perl) 1.14 and earlier, an example attack consists of defining 10 or more XML entities, each defined as consisting of 10 of the previous entity, with the document consisting of a single instance of the largest entity, which expands to one billion copies of the first entity. The amount of computer memory used for handling an external SOAP call would likely exceed that available to the process parsing the XML."], "name": "CVE-2015-8978", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "perl-SOAP-Lite", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/a:redhat:network_satellite:5", "fix_state": "Will not fix", "package_name": "perl-SOAP-Lite", "product_name": "Red Hat Satellite 5"}, {"cpe": "cpe:/a:redhat:network_proxy:5.6", "fix_state": "Will not fix", "package_name": "perl-SOAP-Lite", "product_name": "Red Hat Satellite Proxy 5.6"}], "public_date": "2015-07-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2015-8978\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-8978"], "statement": "Red Hat Product Security has rated this issue as having Moderate security\nimpact. This issue is not currently planned to be addressed in future\nupdates. For additional information, refer to the Issue Severity\nClassification: https://access.redhat.com/security/updates/classification/.", "threat_severity": "Moderate"}