Miggo Logo

CVE-2018-8505: ChakraCore RCE Vulnerability

7.5

CVSS Score
3.0

Basic Information

EPSS Score
0.91513%
Published
5/13/2022
Updated
10/6/2023
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
Microsoft.ChakraCorenuget< 1.11.21.11.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The patch adds critical missing item checks (SparseArraySegment<int32>::IsMissingItem) in two key locations: 1) In JavascriptOperators.cpp's NativeIntArray handling, where type confusion could occur during JIT optimization by accepting values that resolve to memory corruption markers. 2) In JavascriptArray.cpp's DirectSetItemAt, where debug-only assertions were insufficient protection against invalid writes in release builds. Both locations directly correspond to the CWE-787 (out-of-bounds write) description and the commit's focus on fixing type confusion in JIT operations.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* r*mot* *o** *x**ution vuln*r**ility *xists in t** w*y t**t t** ***kr* s*riptin* *n*in* **n*l*s o*j**ts in m*mory in Mi*roso*t ****, *k* "***kr* S*riptin* *n*in* M*mory *orruption Vuln*r**ility." T*is *****ts Mi*roso*t ****, ***kr**or*. T*is *V* I*

Reasoning

T** p*t** ***s *riti**l missin* it*m ****ks (`Sp*rs**rr*yS**m*nt<int**>::IsMissin*It*m`) in two k*y lo**tions: *) In `J*v*s*riptOp*r*tors.*pp`'s `N*tiv*Int*rr*y` **n*lin*, w**r* typ* *on*usion *oul* o**ur *urin* JIT optimiz*tion *y ****ptin* v*lu*s t