Remote Code Execution (RCE)

Affecting microsoft.chakracore package, versions [,1.111.1)

Do your applications use this vulnerable package? Test your applications

Overview

Microsoft.ChakraCore is a core part of the Chakra Javascript engine that powers Microsoft Edge

Affected versions of this package are vulnerable to Remote Code Execution (RCE). The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user and then escalate privileges from there.

Remediation

Upgrade Microsoft.ChakraCore to version 1.111.1 or higher.

References

CVSS Score

4.2
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Credit
Yuki Chen
CVE
CVE-2019-1001 CVE-2019-1062 CVE-2019-1092 CVE-2019-1103 CVE-2019-1106 CVE-2019-1107
CWE
CWE-119
Snyk ID
SNYK-DOTNET-MICROSOFTCHAKRACORE-451557
Disclosed
09 Jul, 2019
Published
10 Jul, 2019