{"id":"CVE-2020-10531","details":"An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp.","aliases":["BIT-node-2020-10531","BIT-node-min-2020-10531"],"modified":"2026-02-14T00:12:19.655521Z","published":"2020-03-12T19:15:13.227Z","related":["ALSA-2020:0902","ALSA-2020:1293","ALSA-2020:1317","SUSE-OU-2024:0647-1","SUSE-SU-2020:0819-1","SUSE-SU-2020:0819-2","SUSE-SU-2020:1180-1","SUSE-SU-2020:1568-1","SUSE-SU-2020:1575-1","SUSE-SU-2023:3563-1","SUSE-SU-2023:3563-2","SUSE-SU-2023:3563-3","openSUSE-SU-2020:0459-1","openSUSE-SU-2024:12116-1","openSUSE-SU-2024:13127-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6IOHSO6BUKC6I66J5PZOMAGFVJ66ZS57/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3B5RWJQD5LA45MYLLR55KZJOJ5NVZGP/"},{"type":"WEB","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00004.html"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0738"},{"type":"ADVISORY","url":"https://bugs.chromium.org/p/chromium/issues/detail?id=1044570"},{"type":"ADVISORY","url":"https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop_24.html"},{"type":"ADVISORY","url":"https://chromium.googlesource.com/chromium/deps/icu/+/9f4020916eb1f28f3666f018fdcbe6c9a37f0e08"},{"type":"ADVISORY","url":"https://github.com/unicode-org/icu/commit/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca"},{"type":"ADVISORY","url":"https://github.com/unicode-org/icu/pull/971"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/03/msg00024.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202003-15"},{"type":"ADVISORY","url":"https://unicode-org.atlassian.net/browse/ICU-20958"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4305-1/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2020/dsa-4646"},{"type":"ADVISORY","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"type":"REPORT","url":"https://bugs.chromium.org/p/chromium/issues/detail?id=1044570"},{"type":"REPORT","url":"https://github.com/unicode-org/icu/pull/971"},{"type":"REPORT","url":"https://unicode-org.atlassian.net/browse/ICU-20958"},{"type":"FIX","url":"https://chromium.googlesource.com/chromium/deps/icu/+/9f4020916eb1f28f3666f018fdcbe6c9a37f0e08"},{"type":"FIX","url":"https://github.com/unicode-org/icu/commit/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca"},{"type":"FIX","url":"https://github.com/unicode-org/icu/pull/971"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"type":"ARTICLE","url":"http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00004.html"},{"type":"ARTICLE","url":"https://lists.debian.org/debian-lts-announce/2020/03/msg00024.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nodejs/node","events":[{"introduced":"ab4af087e83d91a46354d765306d3543b1d85423"},{"fixed":"23adb548a57db0c56e359265108e7fe71d8b4f73"}]}],"versions":["v10.13.0","v10.14.0","v10.14.1","v10.14.2","v10.15.0","v10.15.1","v10.15.2","v10.15.3","v10.16.0","v10.16.1","v10.16.2","v10.16.3","v10.17.0","v10.18.0","v10.18.1","v10.19.0","v10.20.0","v10.20.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-10531.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/unicode-org/icu","events":[{"introduced":"0"},{"fixed":"b7d08bc04a4296982fcef8b6b8a354a9e4e7afca"}]}],"versions":["cldr-32-beta2","last-cvs-commit","last-svn-commit","milestone-59-0-1","milestone-60-0-1","release-59-rc","release-60-rc","release-61-rc","release-62-rc","release-63-rc","release-64-1","release-64-2","release-64-2-rc","release-64-rc","release-64-rc2","release-65-1","release-65-rc","release-66-preview"],"database_specific":{"vanir_signatures":[{"source":"https://github.com/unicode-org/icu/commit/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["163326310584139620683127306141902484022","53777311359894187782715740876739193896","259529947505127728544220868421245451215","275100226479365140411992926648193383127"]},"signature_type":"Line","id":"CVE-2020-10531-073eef5e","target":{"file":"icu4c/source/common/unistr.cpp"},"deprecated":false},{"source":"https://github.com/unicode-org/icu/commit/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca","signature_version":"v1","digest":{"length":783,"function_hash":"311203197988252367781213452935901397736"},"signature_type":"Function","id":"CVE-2020-10531-52deb174","target":{"function":"UnicodeString::doAppend","file":"icu4c/source/common/unistr.cpp"},"deprecated":false},{"source":"https://github.com/unicode-org/icu/commit/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca","signature_version":"v1","digest":{"length":1182,"function_hash":"282047263291457392771884626389331655576"},"signature_type":"Function","id":"CVE-2020-10531-8aefd4ce","target":{"function":"UnicodeStringTest::runIndexedTest","file":"icu4c/source/test/intltest/ustrtest.cpp"},"deprecated":false},{"source":"https://github.com/unicode-org/icu/commit/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["281493051491934789897437676517916732519","16536246155701564973448811408738863909","170482884151252957689139896393908258054","244202485545224852526398604846366360242","297837186745196421493934701917911463958"]},"signature_type":"Line","id":"CVE-2020-10531-e4962e84","target":{"file":"icu4c/source/test/intltest/ustrtest.cpp"},"deprecated":false},{"source":"https://github.com/unicode-org/icu/commit/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["176032011631701592212894972723462041867","313180536602387946983383287883265241998","253612880278707994326010847370624889941"]},"signature_type":"Line","id":"CVE-2020-10531-efe65e00","target":{"file":"icu4c/source/test/intltest/ustrtest.h"},"deprecated":false}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-10531.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}