CVE-2017-17484Improper Restriction of Operations within the Bounds of a Memory Buffer in International Components FOR Unicode

CWE-119Improper Restriction of Operations within the Bounds of a Memory BufferCWE-121Stack-based Buffer Overflow7 documents6 sources
Severity
9.8CRITICALNVD
EPSS
4.5%
top 10.89%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Icu-project International Components FOR Unicode
Timeline
PublishedDec 10
Latest updateMay 14

Description

The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International Components for Unicode (ICU) for C/C++ through 60.1 mishandles ucnv_convertEx calls for UTF-8 to UTF-8 conversion, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted string, as demonstrated by ZNC.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

Patches

Patch: ssl.icu-project.orgPatch: ssl.icu-project.org

🔴Vulnerability Details

2
GHSA
GHSA-84mq-mqjx-rfmc: The ucnv_UTF8FromUTF8 function in ucnv_u82022-05-14
CVEList
CVE-2017-17484: The ucnv_UTF8FromUTF8 function in ucnv_u82017-12-10

📋Vendor Advisories

2
Red Hat
icu: stack-based buffer overflow in ucnv_u8.cpp:ucnv_UTF8FromUTF8 can lead to denial of service2017-11-21
Debian
CVE-2017-17484: icu - The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International Components for Un...2017

💬Community

2
Bugzilla
CVE-2017-17484 icu: stack-based buffer overflow in ucnv_u8.cpp:ucnv_UTF8FromUTF8 can lead to denial of service [fedora-all]2017-12-12
Bugzilla
CVE-2017-17484 icu: stack-based buffer overflow in ucnv_u8.cpp:ucnv_UTF8FromUTF8 can lead to denial of service2017-12-12
CVE-2017-17484 — CRITICAL severity | cvebase