Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2017-11861 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft Internet Explorer

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer41 documents9 sources

Severity

7.5HIGHNVD

EPSS

76.2%

top 1.07%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Microsoft Internet Explorer Msrc Chakracore Msrc Microsoft Edge ON Windows 10 Version 1607 FOR 32-bit Systems +6 more

Timeline

PublishedNov 15

Latest updateMay 17

Description

Microsoft Edge in Windows 10 1607, 1703, 1709, Windows Server 2016 and Windows Server, version 1709 allows an attacker to gain the same user rights as the current user, due to how the scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11836, CVE-2017-11837, CVE-2017-11838, CVE-2017-11839, CVE-2017-11840, CVE-2017-11841, CVE-2017-11843, CVE-2017-11846, CVE-2017-11858, CVE-2017-11859, CVE-2017-11862, CVE-2017-1186…

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages9 packages

▶msrcmsrc/microsoft_edge_on_windows_server_2016

▶msrcmsrc/microsoft_edge_on_windows_10_version_1709_for_32-bit_systems

▶msrcmsrc/microsoft_edge_on_windows_10_version_1709_for_x64-based_systems

▶msrcmsrc/microsoft_edge_on_windows_10_version_1607_for_32-bit_systems

▶msrcmsrc/microsoft_edge_on_windows_10_version_1703_for_32-bit_systems

Patches

Patch: portal.msrc.microsoft.com ↗Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-f92j-xcf9-hq3p: ChakraCore, and Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, Windows Server 2016 and Windows Server, version 1709 allows an at↗2022-05-17

▶

GHSA

GHSA-wqcq-mggq-ggvw: ChakraCore and Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8↗2022-05-17

▶

GHSA

Chakra Core vulnerable to privilege escalation due to type confusion↗2022-05-17

▶

GHSA

GHSA-w6f6-8p4j-54vr: ChakraCore and Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8↗2022-05-17

▶

GHSA

GHSA-jx2p-r863-cg3f: ChakraCore and Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8↗2022-05-17

▶

💥Exploits & PoCs

Exploit-DB

Microsoft Edge Chakra: JIT - 'Lowerer::LowerBoundCheck' Incorrect Integer Overflow Check↗2017-11-16

▶

📋Vendor Advisories

Microsoft

Scripting Engine Memory Corruption Vulnerability↗2017-11-14

▶

🕵️Threat Intelligence

Talos

Microsoft Patch Tuesday - November 2017↗2017-11-14

▶

Talos

Microsoft Patch Tuesday - November 2017↗2017-11-14

▶

Zscaler

Zscaler protects against 10 new vulnerabilities for Internet↗

▶