CVE-2017-15396

Published: Aug 28, 2018Modified: Nov 21, 2024

6.5

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

A stack buffer overflow in NumberingSystem in International Components for Unicode (ICU) for C/C++ before 60.2, as used in V8 in Google Chrome prior to 62.0.3202.75 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Affected (8)

Products: Google: Chrome · Redhat: Enterprise Linux Desktop, Enterprise Linux Server, Enterprise Linux Workstation · Debian: Debian Linux · +1 more

Show all products

Google: Chrome · Redhat: Enterprise Linux Desktop, Enterprise Linux Server, Enterprise Linux Workstation · Debian: Debian Linux · Icu Project: International Components For Unicode

1 product

3 products

Enterprise Linux Desktop

Enterprise Linux Server

Enterprise Linux Workstation

1 product

1 product

International Components For Unicode

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Google Chrome	Before 62.0.3202.75

Configuration B

3 vulnerable

Vulnerable Software	Affected Versions
Redhat Enterprise Linux Desktop	Version 6.0
Redhat Enterprise Linux Server	Version 6.0
Redhat Enterprise Linux Workstation	Version 6.0

Configuration C

3 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 8.0
Debian Debian Linux	Version 9.0

Configuration D

1 vulnerable

Vulnerable Software	Affected Versions
Icu Project International Components For Unicode	Before 60.2

Related CWEs

Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

References (14)

http://bugs.icu-project.org/trac/changeset/40494

Source: chrome-cve-admin@google.com

http://www.securityfocus.com/bid/101597

Source: chrome-cve-admin@google.com

https://access.redhat.com/errata/RHSA-2017:3082

Source: chrome-cve-admin@google.com

https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-desktop_26.html

Source: chrome-cve-admin@google.com

https://crbug.com/770452

Source: chrome-cve-admin@google.com

https://security.gentoo.org/glsa/201711-02

Source: chrome-cve-admin@google.com

https://www.debian.org/security/2017/dsa-4020

Source: chrome-cve-admin@google.com

http://bugs.icu-project.org/trac/changeset/40494

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.securityfocus.com/bid/101597

Source: af854a3a-2127-422b-91ae-364da2661108

https://access.redhat.com/errata/RHSA-2017:3082

Source: af854a3a-2127-422b-91ae-364da2661108

https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-desktop_26.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://crbug.com/770452

Source: af854a3a-2127-422b-91ae-364da2661108

https://security.gentoo.org/glsa/201711-02

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.debian.org/security/2017/dsa-4020

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.