CVE-2017-11767 — ChakraCore vulnerable to privilege escalation

Description

ChakraCore allows an attacker to gain the same user rights as the current user, due to the way that the ChakraCore scripting engine handles objects in memory. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

How to fix CVE-2017-11767

To remediate CVE-2017-11767, upgrade the affected package to a fixed version below.

—upgrade to 1.6.2 or later

Is CVE-2017-11767 being exploited?

Moderate — EPSS is 17.2%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0, < 1.6.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-11767
PATCHgithub.com/chakra-core/ChakraCore
WEBgithub.com/chakra-core/ChakraCore/commit/b3e3959d14814f42ee2197c504c322bcbe12347d
WEBgithub.com/chakra-core/ChakraCore/pull/3727