CVE-2017-11874Improper Input Validation in Corporation Microsoft Edge

CWE-20Improper Input Validation8 documents4 sources
Severity
6.5MEDIUMNVD
NVD6.1NVD3.1
EPSS
6.7%
top 8.72%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Microsoft Corporation Microsoft EdgeMsrc ChakracoreMsrc Microsoft Edge ON Windows 10 Version 1703 FOR 32-bit Systems+3 more
Timeline
PublishedNov 15
Latest updateMay 17

Description

Microsoft Edge in Microsoft Windows 10 1703, 1709, Windows Server, version 1709, and ChakraCore allows an attacker to bypass Control Flow Guard (CFG) to run arbitrary code on a target system, due to how Microsoft Edge handles accessing memory in code compiled by the Edge Just-In-Time (JIT) compiler, aka "Microsoft Edge Security Feature Bypass Vulnerability". This CVE ID is unique from CVE-2017-11863 and CVE-2017-11872.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 1.6 | Impact: 1.4

Affected Packages6 packages

CVEListV5microsoft_corporation/microsoft_edgeMicrosoft Windows 10 1703, 1709, Windows Server, version 1709, and ChakraCore.

Patches

Patch: portal.msrc.microsoft.comPatch: portal.msrc.microsoft.com

🔴Vulnerability Details

3
GHSA
GHSA-5qcr-3r6j-g5fp: Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, Windows Server 2016 and Windows Server, version 1709 allows an attacker to trick2022-05-17
GHSA
GHSA-mpq3-wcg8-72j4: Microsoft Edge in Microsoft Windows 10 1703, 1709, Windows Server, version 1709, and ChakraCore allows an attacker to bypass Control Flow Guard (CFG)2022-05-13
GHSA
GHSA-7v23-c6x7-x7h2: Microsoft Edge in Microsoft Windows 10 1607, 1703, and Windows Server 2016 allows an attacker to force the browser to send data that would otherwise b2022-05-13

📋Vendor Advisories

1
Microsoft
Microsoft Edge Security Feature Bypass Vulnerability2017-11-14

🕵️Threat Intelligence

1
Talos
Microsoft Patch Tuesday - November 20172017-11-14