CVE-2015-8866

ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used, does not isolate each thread from libxml_disable_entity_loader changes in other threads, which allows remote attackers to conduct XML External Entity (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document, a related issue to CVE-2015-5161.

Published: May 22, 2016
Updated: Apr 13, 2023
CVE: CVE-2015-8866
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.6
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P

CWEs:

CWE-611

OWASP TOP 10:

A4 - XML External Entities (XXE)

Affected Software
References

Software	From	Fixed in
php / php	7.2.0	7.2.1
php / php	7.1.0	7.1.13
php / php	7.0.0	7.0.27
php / php	5.5.0	5.5.22
php / php	5.6.0	5.6.6
canonical / ubuntu_linux	15.10	15.10.x
canonical / ubuntu_linux	14.04	14.04.x
canonical / ubuntu_linux	12.04	12.04.x
suse / linux_enterprise_software_development_kit	12-sp1	12-sp1.x
suse / linux_enterprise_module_for_web_scripting	12	12.x
opensuse / leap	42.1	42.1.x
opensuse / opensuse	13.2	13.2.x
suse / linux_enterprise_software_development_kit	12	12.x

Vulnerability Database

289,599

CVE-2015-8866