CVE-2013-0252 : boost::locale::utf::utf_traits in the Boost.Locale library in Boost 1.48 through

boost::locale::utf::utf_traits in the Boost.Locale library in Boost 1.48 through 1.52 does not properly detect certain invalid UTF-8 sequences, which might allow remote attackers to bypass input validation protection mechanisms via crafted trailing bytes.

Published 2013-03-12 22:55:02

Updated 2025-04-11 00:51:22

Source Red Hat, Inc.

View at NVD, CVE.org

Products affected by CVE-2013-0252

Boost » Boost » Version: 1.48.0
cpe:2.3:a:boost:boost:1.48.0:*:*:*:*:*:*:*
Matching versions
Boost » Boost » Version: 1.49.0
cpe:2.3:a:boost:boost:1.49.0:*:*:*:*:*:*:*
Matching versions
Boost » Boost » Version: 1.52.0
cpe:2.3:a:boost:boost:1.52.0:*:*:*:*:*:*:*
Matching versions
Boost » Boost » Version: 1.50.0
cpe:2.3:a:boost:boost:1.50.0:*:*:*:*:*:*:*
Matching versions
Boost » Boost » Version: 1.51.0
cpe:2.3:a:boost:boost:1.51.0:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2013-0252

EPSS FAQ

1.68%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 80 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2013-0252

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:P/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None

CWE ids for CVE-2013-0252

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2013-0252

https://bugzilla.redhat.com/show_bug.cgi?id=907481

907481 – (CVE-2013-0252) CVE-2013-0252 boost: Certain invalid UTF-8 sequences accepted as valid
http://www.mandriva.com/security/advisories?name=MDVSA-2013:065

mandriva.com

CVEs referencing this url
http://lists.fedoraproject.org/pipermail/package-announce/2013-February/099103.html

[SECURITY] Fedora 17 Update: boost-1.48.0-14.fc17
http://www.ubuntu.com/usn/USN-1727-1

USN-1727-1: Boost vulnerability | Ubuntu security notices
http://www.boost.org/users/news/boost_locale_security_notice.html

Boost.Locale security notice
http://www.openwall.com/lists/oss-security/2013/02/04/2

oss-security - Re: CVE id request: boost
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699649

#699649 - Boost.Locale library security flaw - Debian Bug report logs
http://www.securityfocus.com/bid/57675

Boost UTF-8 'utf_traits::decode()' Function Input Validation Vulnerability
http://lists.fedoraproject.org/pipermail/package-announce/2013-February/099122.html

[SECURITY] Fedora 18 Update: boost-1.50.0-5.fc18
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699650

#699650 - Boost.Locale library security flaw - Debian Bug report logs
https://svn.boost.org/trac/boost/ticket/7743

#7743 (utf_traits::decode does not check for correct UTF-8 trailing bytes) – Boost C++ Libraries

Jump to

Vulnerability Details : CVE-2013-0252

Products affected by CVE-2013-0252

Exploit prediction scoring system (EPSS) score for CVE-2013-0252

CVSS scores for CVE-2013-0252

CWE ids for CVE-2013-0252

References for CVE-2013-0252