VDB
CVE-2023-52389
CVE-2023-52389
PUBLISHED
CVSS 9.300000190734863 CRITICAL
UTF32Encoding.cpp in POCO has a Poco::UTF32Encoding integer overflow and resultant stack buffer overflow because Poco::UTF32Encoding::convert() and Poco::UTF32::queryConvert() may return a negative integer if a UTF-32 byte sequence evaluates to a value of 0x80000000 or higher. This is fixed in 1.11.8p2, 1.12.5p2, and 1.13.0.
EPSS 0.13% · 32.3th percentile
Risk Scores
CVSS v4.0
9.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
EPSS Score
0.13%
32.3th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| pocoproject | poco | 1.12.5, 1.11.8, 1.11.8 |
| n/a | n/a | n/a, * |
Timeline
- Jan 27, 2024 CVE Published
- Jan 27, 2024 PoC Published
- Jan 28, 2024 PoC Published
- Jan 31, 2024 EPSS Score
- Feb 8, 2024 CVE Updated
- Feb 20, 2024 PoC Published
- Feb 28, 2024 EPSS Score
- Mar 26, 2024 EPSS Score
- Apr 23, 2024 EPSS Score
- May 20, 2024 EPSS Score
- Jun 17, 2024 EPSS Score
- Jul 14, 2024 EPSS Score
References
- https://pocoproject.org/blog/?p=1226 url
- https://github.com/pocoproject/poco/issues/4320 url
- https://github.com/pocoproject/poco/compare/poco-1.12.5p2-release...poco-1.13.0-release url
- https://lists.debian.org/debian-lts-announce/2025/01/msg00017.html url
- https://nvd.nist.gov/vuln/detail/CVE-2023-52389 advisory