Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2014-8147 — Integer Overflow or Wraparound in International Components FOR Unicode

CWE-189 CWE-190 — Integer Overflow or Wraparound15 documents10 sources

Severity

7.5HIGHNVD

EPSS

41.9%

top 2.56%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Icu-project International Components FOR Unicode Apple MAC OS X Apple Watchos

Timeline

PublishedMay 25

Latest updateMay 14

Description

The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 uses an integer data type that is inconsistent with a header file, which allows remote attackers to cause a denial of service (incorrect malloc followed by invalid free) or possibly execute arbitrary code via crafted text.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

▶NVDicu-project/international_components< 55.1

▶NVDapple/watchos1.0.1

▶NVDapple/mac_os_x10.10.4

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-94pf-226p-r5p9: The resolveImplicitLevels function in common/ubidi↗2022-05-14

▶

OSV

CVE-2014-8147: The resolveImplicitLevels function in common/ubidi↗2015-05-25

▶

CVEList

CVE-2014-8147: The resolveImplicitLevels function in common/ubidi↗2015-05-25

▶

💥Exploits & PoCs

Exploit-DB

ICU library 52 < 54 - Multiple Vulnerabilities↗2015-06-10

▶

📋Vendor Advisories

Ubuntu

ICU vulnerabilities↗2015-05-11

▶

Red Hat

icu: integer truncation in the resolveImplicitLevels function↗2015-05-05

▶

Debian

CVE-2014-8147: icu - The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectiona...↗2014

▶

Apple

CVE-2014-8147: iTunes 12.3↗

▶

Apple

CVE-2014-8147: OS X El Capitan v10.11↗

▶

💬Community

Bugzilla

ICU: integer overflow via incorrect state size↗2015-05-18

▶

Bugzilla

CVE-2014-8147 CVE-2014-8146 icu: various flaws [fedora-all]↗2015-05-06

▶

Bugzilla

CVE-2014-8147 icu: integer truncation in the resolveImplicitLevels function↗2014-12-19

▶