Miggo Logo

CVE-2020-17054: Out-of-bounds Write in ChakraCore

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.83786%
Published
8/2/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
Microsoft.ChakraCorenuget< 1.11.231.11.23

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The GitHub commit e81e8a5 shows the vulnerability was addressed by adding a null/validity check for 'inlineeFrameDisplaySym' before using it. The original code contained an assertion but lacked runtime validation, which would be removed in release builds. This created a scenario where an unallocated symbol could be used for memory operations, directly matching the CWE-787 (out-of-bounds write) description in the CVE.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

***kr* S*riptin* *n*in* M*mory *orruption Vuln*r**ility T*is *V* I* is uniqu* *rom *V*-****-*****.

Reasoning

T** *it*u* *ommit ******* s*ows t** vuln*r**ility w*s ***r*ss** *y ***in* * null/v*li*ity ****k *or 'inlin***r*m**ispl*ySym' ***or* usin* it. T** ori*in*l *o** *ont*in** *n *ss*rtion *ut l**k** runtim* v*li**tion, w*i** woul* ** r*mov** in r*l**s* *u