CVE-2015-8866

CRITICAL

9.6

CVSS Severity Score

EPSS Score0.0570%

EPSS Percentile24.43th

Published2016年5月22日

Last Modified2026年5月6日

Vulnerability Description

ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used, does not isolate each thread from libxml_disable_entity_loader changes in other threads, which allows remote attackers to conduct XML External Entity (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document, a related issue to CVE-2015-5161.

Affected Platforms (CPE)

📦

Php

>= 5.5.0 and < 5.5.22

📦

Php

>= 5.6.0 and < 5.6.6

📦

Php

>= 7.0.0 and < 7.0.27

📦

Php

>= 7.1.0 and < 7.1.13

📦

Php

>= 7.2.0 and < 7.2.1

💻

Canonical

Ubuntu Linux

= 12.04

💻

Canonical

Ubuntu Linux

= 14.04

💻

Canonical

Ubuntu Linux

= 15.10

💻

Opensuse

Leap

= 42.1

💻

Opensuse

= 13.2

💻

Suse

Linux Enterprise Module For Web Scripting

= 12

💻

Suse

Linux Enterprise Software Development Kit

= 12

💻

Suse

Linux Enterprise Software Development Kit

= 12

References & Advisories

🔗 http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=de31324c221c1791b26350ba106cc26bad23ace9

🔗 http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00031.html

🔗 http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00033.html

🔗 http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00056.html

🔗 http://rhn.redhat.com/errata/RHSA-2016-2750.html

🔗 http://www.openwall.com/lists/oss-security/2016/04/24/1

🔗 http://www.php.net/ChangeLog-5.php

🔗 http://www.securityfocus.com/bid/87470

Vulnerability Description

Affected Platforms (CPE)

Php

Php

Php

Php

Php

Ubuntu Linux

Ubuntu Linux

Ubuntu Linux

Leap

Opensuse

Linux Enterprise Module For Web Scripting

Linux Enterprise Software Development Kit

Linux Enterprise Software Development Kit

References & Advisories

相关漏洞威胁