GHSA-pcr8-75v3-w9pf

Source

https://github.com/advisories/GHSA-pcr8-75v3-w9pf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-pcr8-75v3-w9pf/GHSA-pcr8-75v3-w9pf.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-pcr8-75v3-w9pf

Aliases

CVE-2017-11862

Published

2022-05-17T00:19:55Z

Modified

2024-02-16T08:10:29.581621Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Chakra Core vulnerable to privilege escalation due to type confusion

Details

ChakraCore and Microsoft Edge in Windows 10 1709 and Windows Server, version 1709 allows an attacker to gain the same user rights as the current user, due to how the scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". Individual Export in module exports was not taking care of destructuring nodes, leading to type confusion. This was fixed by adding support for walking those nodes.

This CVE ID is unique from CVE-2017-11836, CVE-2017-11837, CVE-2017-11838, CVE-2017-11839, CVE-2017-11840, CVE-2017-11841, CVE-2017-11843, CVE-2017-11846, CVE-2017-11858, CVE-2017-11859, CVE-2017-11861, CVE-2017-11866, CVE-2017-11869, CVE-2017-11870, CVE-2017-11871, and CVE-2017-11873.

Database specific

{
    "nvd_published_at": "2017-11-15T03:29:00Z",
    "cwe_ids": [
        "CWE-119"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-27T19:30:54Z"
}

References

Affected packages

NuGet / Microsoft.ChakraCore

Package

Name: Microsoft.ChakraCore; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.ChakraCore

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.7.4

Affected versions

1.*

1.2.0

1.2.1

1.2.2

1.2.3

1.2.6.62716-preview

1.3.0

1.3.1

1.3.2

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.5.0

1.5.1

1.5.2

1.5.3

1.6.0

1.6.2

1.7.0

1.7.1

1.7.2

1.7.3