CVE-2014-8147
ICU library 52 < 54 - Multiple Vulnerabilities
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
3Exploited in Wild
-Decision
Descriptions
The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 uses an integer data type that is inconsistent with a header file, which allows remote attackers to cause a denial of service (incorrect malloc followed by invalid free) or possibly execute arbitrary code via crafted text.
La función resolveImplicitLevels en common/ubidi.c en la implementación Unicode Bidirectional Algorithm en ICU4C en International Components for Unicode (ICU) anterior a 55.1 utiliza un tipo de datos de enteros que es inconsistente con un fichero de cabeceras, lo que permite a atacantes remotos causar una denegación de servicio (malloc incorrecto seguido por liberación inválida) o posiblemente ejecutar código arbitrario a través de texto manipulado.
Pedro Ribeiro discovered that ICU incorrectly handled certain memory operations when processing data. If an application using ICU processed crafted data, an attacker could cause it to crash or potentially execute arbitrary code with the privileges of the user invoking the program.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2014-10-10 CVE Reserved
- 2015-05-05 CVE Published
- 2015-06-10 First Exploit
- 2024-08-06 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-189: Numeric Errors
CAPEC
References (17)
| URL | Tag | Source |
|---|---|---|
| http://openwall.com/lists/oss-security/2015/05/05/6 | Mailing List | |
| http://www.kb.cert.org/vuls/id/602540 | Third Party Advisory |
|
| http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html | Third Party Advisory |
|
| http://www.securityfocus.com/bid/74457 | Third Party Advisory | |
| https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E | Mailing List | |
| https://support.apple.com/HT205213 | Third Party Advisory |
|
| https://support.apple.com/HT205267 | Third Party Advisory |
|
| https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html | X_refsource_misc |
|
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/43887 | 2015-06-10 | |
| http://seclists.org/fulldisclosure/2015/May/14 | 2024-08-06 | |
| https://raw.githubusercontent.com/pedrib/PoC/master/generic/i-c-u-fail.txt | 2024-08-06 |
| URL | Date | SRC |
|---|---|---|
| http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html | 2023-11-07 |
| URL | Date | SRC |
|---|---|---|
| http://bugs.icu-project.org/trac/changeset/37080 | 2023-11-07 | |
| http://lists.apple.com/archives/security-announce/2015/Sep/msg00005.html | 2023-11-07 | |
| http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html | 2023-11-07 | |
| http://www.debian.org/security/2015/dsa-3323 | 2023-11-07 | |
| https://security.gentoo.org/glsa/201507-04 | 2023-11-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apple Search vendor "Apple" | Mac Os X Search vendor "Apple" for product "Mac Os X" | <= 10.10.4 Search vendor "Apple" for product "Mac Os X" and version " <= 10.10.4" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Watchos Search vendor "Apple" for product "Watchos" | <= 1.0.1 Search vendor "Apple" for product "Watchos" and version " <= 1.0.1" | - |
Affected
| ||||||
| Icu-project Search vendor "Icu-project" | International Components For Unicode Search vendor "Icu-project" for product "International Components For Unicode" | < 55.1 Search vendor "Icu-project" for product "International Components For Unicode" and version " < 55.1" | c\/c\+\+ |
Affected
| ||||||