Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1jNzl2LTJyanEtOTY1bc4AAR_K

ChakraCore vulnerable to privilege escalation

ChakraCore allows an attacker to gain the same user rights as the current user, due to the way that the ChakraCore scripting engine handles objects in memory. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Permalink: https://github.com/advisories/GHSA-c79v-2rjq-965m
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jNzl2LTJyanEtOTY1bc4AAR_K
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 2 years ago
Updated: 7 months ago

CVSS Score: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-c79v-2rjq-965m, CVE-2017-11767
References:

• https://nvd.nist.gov/vuln/detail/CVE-2017-11767
• https://github.com/chakra-core/ChakraCore/pull/3727
• https://github.com/chakra-core/ChakraCore/pull/3727/commits/b3e3959d14814f42ee2197c504c322bcbe12347d
• https://web.archive.org/web/20210124103810/http://www.securityfocus.com/bid/100838
• https://web.archive.org/web/20211127230635/http://www.securitytracker.com/id/1039369
• https://github.com/chakra-core/ChakraCore/commit/b3e3959d14814f42ee2197c504c322bcbe12347d
• https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2017-11767
• https://github.com/advisories/GHSA-c79v-2rjq-965m

Repository: https://github.com/chakra-core/ChakraCore
Blast Radius: 1.0

Affected Packages