CVE-2007-4770 — International Components FOR Unicode vulnerability

CWE-3998 documents8 sources

Severity

6.8MEDIUMNVD

EPSS

3.7%

top 12.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Icu-project International Components FOR Unicode

Timeline

PublishedJan 29

Latest updateMay 1

Description

libicu in International Components for Unicode (ICU) 3.8.1 and earlier attempts to process backreferences to the nonexistent capture group zero (aka \0), which might allow context-dependent attackers to read from, or write to, out-of-bounds memory locations, related to corruption of REStackFrames.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages1 packages

▶NVDicu-project/international_components3.8.1

Patches

Patch: sourceforge.net ↗Patch: sourceforge.net ↗

🔴Vulnerability Details

GHSA

GHSA-3hvj-9j8h-vgr2: libicu in International Components for Unicode (ICU) 3↗2022-05-01

▶

OSV

CVE-2007-4770: libicu in International Components for Unicode (ICU) 3↗2008-01-29

▶

CVEList

CVE-2007-4770: libicu in International Components for Unicode (ICU) 3↗2008-01-28

▶

📋Vendor Advisories

Ubuntu

libicu vulnerabilities↗2008-03-24

▶

Red Hat

libicu poor back reference validation↗2008-01-22

▶

Debian

CVE-2007-4770: icu - libicu in International Components for Unicode (ICU) 3.8.1 and earlier attempts ...↗2007

▶

💬Community

Bugzilla

CVE-2007-4770 libicu poor back reference validation↗2008-01-16

▶