CVE-2014-8146

Current Description

The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 does not properly track directionally isolated pieces of text, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly execute arbitrary code via crafted text.

Basic Data

PublishedMay 25, 2015
Last ModifiedApril 23, 2019
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-119
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityLOW
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactPARTIAL
CVSS 2 - Availability ImpactPARTIAL
CVSS 2 - Base Score7.5
SeverityHIGH
Exploitability Score10.0
Impact Score6.4
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationAppleItunes********12.1.3
    2.3OSAppleIphone Os********8.2
    2.3OSAppleMac Os X********10.10.4
    2.3OSAppleWatchos********1.0.1
  • OR - Configuration 2
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationIcu-projectInternational Components For Unicode*****c/c++**55.1

Vulnerable Software List

VendorProductVersions
Apple Iphone Os *
Apple Watchos *
Apple Itunes *
Apple Mac Os X *
Icu-project International Components For Unicode *

References

NameSourceURLTags
http://bugs.icu-project.org/trac/changeset/37162http://bugs.icu-project.org/trac/changeset/37162CONFIRMIssue Tracking Vendor Advisory
APPLE-SA-2015-09-16-1http://lists.apple.com/archives/security-announce/2015/Sep/msg00001.htmlAPPLEMailing List
APPLE-SA-2015-09-16-3http://lists.apple.com/archives/security-announce/2015/Sep/msg00003.htmlAPPLEMailing List
APPLE-SA-2015-09-21-1http://lists.apple.com/archives/security-announce/2015/Sep/msg00005.htmlAPPLEMailing List
APPLE-SA-2015-09-30-3http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.htmlAPPLEMailing List
[oss-security] 20150505 [CVE-2014-8146/8147] - ICU heap and integer overflows / I-C-U-FAILhttp://openwall.com/lists/oss-security/2015/05/05/6MLISTMailing List
20150505 [CVE-2014-8146/8147] - ICU heap and integer overflows / I-C-U-FAILhttp://seclists.org/fulldisclosure/2015/May/14FULLDISCExploit Mailing List Third Party Advisory
DSA-3323http://www.debian.org/security/2015/dsa-3323DEBIANThird Party Advisory
VU#602540http://www.kb.cert.org/vuls/id/602540CERT-VNThird Party Advisory US Government Resource
http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.htmlhttp://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.htmlCONFIRMThird Party Advisory
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.htmlhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.htmlCONFIRMPATCH
74457http://www.securityfocus.com/bid/74457BIDThird Party Advisory VDB Entry
https://raw.githubusercontent.com/pedrib/PoC/master/generic/i-c-u-fail.txthttps://raw.githubusercontent.com/pedrib/PoC/master/generic/i-c-u-fail.txtMISCExploit
GLSA-201507-04https://security.gentoo.org/glsa/201507-04GENTOOThird Party Advisory
https://support.apple.com/HT205212https://support.apple.com/HT205212CONFIRMThird Party Advisory
https://support.apple.com/HT205213https://support.apple.com/HT205213CONFIRMThird Party Advisory
https://support.apple.com/HT205221https://support.apple.com/HT205221CONFIRMThird Party Advisory
https://support.apple.com/HT205267https://support.apple.com/HT205267CONFIRMThird Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlMISC