Miggo Logo

CVE-2018-8380: ChakraCore remote code execution vulnerability

7.5

CVSS Score
3.0

Basic Information

EPSS Score
0.89418%
Published
5/13/2022
Updated
8/28/2023
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
Microsoft.ChakraCorenuget< 1.10.21.10.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows critical changes to exception handling logic. The vulnerability (CWE-787) stems from improper tracking of exception frames. WalkAndClearInlineeFrameCallInfoOnException previously validated frames against tryCatchFrameAddr, which was incorrectly managed by TryCatchFrameAddrStack. The patch replaces tryCatchFrameAddr with tryHandlerAddrOfReturnAddr, fixing the OOB write by ensuring correct address validation during stack unwinding.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* r*mot* *o** *x**ution vuln*r**ility *xists in t** w*y t**t t** ***kr* s*riptin* *n*in* **n*l*s o*j**ts in m*mory in Mi*roso*t ****, *k* "***kr* S*riptin* *n*in* M*mory *orruption Vuln*r**ility." T*is *****ts Mi*roso*t ****, ***kr**or*. T*is *V* I*

Reasoning

T** *ommit *i** s*ows *riti**l ***n**s to *x**ption **n*lin* lo*i*. T** vuln*r**ility (*W*-***) st*ms *rom improp*r tr**kin* o* *x**ption *r*m*s. `W*lk*n**l**rInlin***r*m***llIn*oOn*x**ption` pr*viously v*li**t** *r*m*s ***inst `try**t***r*m****r`, w