CVE-2023-52389

2024-01-2703:15:07

CWE-190

mitre

web.nvd.nist.gov

cve-2023-52389

poco

utf32encoding

integer overflow

stack buffer overflow

nvd

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.4

Confidence

High

EPSS

0.001

Percentile

27.3%

JSON

UTF32Encoding.cpp in POCO has a Poco::UTF32Encoding integer overflow and resultant stack buffer overflow because Poco::UTF32Encoding::convert() and Poco::UTF32::queryConvert() may return a negative integer if a UTF-32 byte sequence evaluates to a value of 0x80000000 or higher. This is fixed in 1.11.8p2, 1.12.5p2, and 1.13.0.

Affected configurations

Nvd

Node

pocoprojectpocoRange<1.11.8

pocoprojectpocoRange1.12.0–1.12.5

pocoprojectpocoMatch1.11.8-

pocoprojectpocoMatch1.11.8p1

pocoprojectpocoMatch1.12.5-

VendorProductVersionCPE
pocoprojectpoco1.11.8cpe:/a:pocoproject:poco:1.11.8:-::
pocoprojectpoco1.11.8cpe:/a:pocoproject:poco:1.11.8:p1::
pocoprojectpoco1.12.5cpe:/a:pocoproject:poco:1.12.5:-::

Vendor	Product	Version	CPE
pocoproject	poco	1.11.8	cpe:/a:pocoproject:poco:1.11.8:-::
pocoproject	poco	1.11.8	cpe:/a:pocoproject:poco:1.11.8:p1::
pocoproject	poco	1.12.5	cpe:/a:pocoproject:poco:1.12.5:-::