
From: Gordon Fyodor Lyon <fyodor () nmap org>
Date: Mon, 20 Jun 2022 14:09:29 -0700
Hi Shivani. Thanks for the report. Those two vulnerabilities are in the PCRE2 (2nd generation) PCRE library. Although we plan to upgrade to PCRE2 soon, Nmap is currently still using the 1st generation PCRE which is not susceptible to these bugs. When we do upgrade, we will be sure to use a fixed version of PCRE2. Also, Nmap version 4.6 and 5.21 are ancient and well worth upgrading for other reasons. On Mon, Jun 20, 2022 at 1:47 PM Sharma, Shivani via dev <dev () nmap org> wrote:
Hi Team, We are using Nmap 4.6 and 5.21 in our project and scan tool reports one vulnerability to Nmap which is related to PCRE2. As per vulnerabilities ,CVE-2022-1586: This involves a unicode property matching issue in JIT-compiled regular expressions. The issue occurs because the character was not fully read in case-less matching within JIT. CVE-2022-1587: This comes with PCRE2 library in the get_recurse_data_length() function of the pcre2_jit_compile.c file. This issue affects recursions in JIT-compiled regular expressions caused by duplicate data transfers. We want to ask following questions 1. Is Nmap 4.6 and 5.21 are vulnerable to CVE-2022-1586 and CVE-2022-1587 issue? 2. If it is vulnerable so in which version it is vulnerable free and how can we get that. Regards, Shivani This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at https://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at https://seclists.org/nmap-dev/