CVE-2019-0812: ChakraCore RCE Vulnerability
7.5
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.97432%
CWE
Published
5/13/2022
Updated
9/28/2023
KEV Status
No
Technology
C#
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
Microsoft.ChakraCore | nuget | < 1.11.8 | 1.11.8 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability (CWE-787) stems from missing type validation in property handling logic. The patches in both files add a 'type == typeToEnumerate' check to prevent type confusion. The absence of this check in the original code allowed attackers to manipulate object types and trigger out-of-bounds writes. The functions
modifying property descriptors in these files are directly responsible for the unsafe memory operations, as shown by the critical addition of the type validation
in the patches.