Miggo Logo

CVE-2018-8291: ChakraCore RCE Vulnerability

7.5

CVSS Score
3.0

Basic Information

EPSS Score
0.99228%
Published
5/13/2022
Updated
10/6/2023
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
Microsoft.ChakraCorenuget< 1.10.11.10.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The GitHub patch explicitly adds missing property copies in DictionaryPropertyDescriptor::CopyFrom. The CWE-843 (Type Confusion) and exploit description both align with incomplete descriptor copies causing memory corruption. The commit message directly attributes CVE-2018-8291 to this function, and the exploit PoC demonstrates how missing IsShadowed handling leads to type confusion.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* r*mot* *o** *x**ution vuln*r**ility *xists in t** w*y t** s*riptin* *n*in* **n*l*s o*j**ts in m*mory in Mi*roso*t *rows*rs, *k* "S*riptin* *n*in* M*mory *orruption Vuln*r**ility." T*is *****ts ***kr**or*, Int*rn*t *xplor*r **, Mi*roso*t ****. T*is

Reasoning

T** *it*u* p*t** *xpli*itly ***s missin* prop*rty *opi*s in `*i*tion*ryProp*rty**s*riptor::*opy*rom`. T** *W*-*** (Typ* *on*usion) *n* *xploit **s*ription *ot* *li*n wit* in*ompl*t* **s*riptor *opi*s **usin* m*mory *orruption. T** *ommit m*ss*** *ir*