Vulnerability Description
The get_icu_disp_value_src_php function in ext/intl/locale/locale_methods.c in PHP before 5.3.29, 5.4.x before 5.4.30, and 5.5.x before 5.5.14 does not properly restrict calls to the ICU uresbund.cpp component, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a locale_get_display_name call with a long first argument.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Php | Php | <= 5.3.28 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2016/11/25/1Third Party Advisory
- http://www.php.net/ChangeLog-5.phpRelease NotesVendor Advisory
- http://www.securityfocus.com/bid/68549
- https://bugs.php.net/bug.php?id=67397PatchVendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1383569Issue TrackingPatchThird Party Advisory
- http://www.openwall.com/lists/oss-security/2016/11/25/1Third Party Advisory
- http://www.php.net/ChangeLog-5.phpRelease NotesVendor Advisory
- http://www.securityfocus.com/bid/68549
- https://bugs.php.net/bug.php?id=67397PatchVendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1383569Issue TrackingPatchThird Party Advisory
FAQ
What is CVE-2014-9912?
CVE-2014-9912 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The get_icu_disp_value_src_php function in ext/intl/locale/locale_methods.c in PHP before 5.3.29, 5.4.x before 5.4.30, and 5.5.x before 5.5.14 does not properly restrict calls to the ICU uresbund.cpp ...
How severe is CVE-2014-9912?
CVE-2014-9912 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2014-9912?
Check the references section above for vendor advisories and patch information. Affected products include: Php Php.