cbcvebase.
CVE-2019-1429
published 2019-11-12

CVE-2019-1429: A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory…

PriorityP184high7.5CVSS 3.1
AVNACHPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
72.63%
99.4th percentile
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1426, CVE-2019-1427, CVE-2019-1428.

Affected

36 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftchakracore< 1.11.151.11.15
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer_10
microsoftinternet_explorer_11
microsoftinternet_explorer_11
microsoftinternet_explorer_11
microsoftinternet_explorer_11
microsoftinternet_explorer_11
microsoftinternet_explorer_11
microsoftinternet_explorer_11
microsoftinternet_explorer_11
microsoftinternet_explorer_11
microsoftinternet_explorer_11
microsoftinternet_explorer_11
microsoftinternet_explorer_11
microsoftinternet_explorer_11
microsoftinternet_explorer_11
microsoftinternet_explorer_11
microsoftinternet_explorer_11
microsoftinternet_explorer_11
microsoftinternet_explorer_11
microsoftinternet_explorer_11
microsoftinternet_explorer_11

Detection & IOCsextracted from sources · hover to see the quote

processjscript!PrepareInvoke+0x12a
commandJSON.stringify() toJSON callback triggering use-after-free in jscript!GCProtectKeyAndCall / jscript!JSONApplyFilters
  • CVE-2019-1429 was actively exploited in the wild at time of patch release (November 2019 Patch Tuesday); treat any unpatched Internet Explorer instances processing jscript content as high-risk.
  • Exploitation is confirmed on both latest and older software releases; detection should cover all supported Windows versions running Internet Explorer with jscript.dll.
  • Attack vector includes web-based delivery via specially crafted websites, ActiveX controls marked 'safe for initialization' embedded in Office documents, and compromised websites hosting user-provided content or advertisements — monitor IE process spawning child processes or making unusual network connections after visiting such content.
  • ·The PoC crash requires the entire block of jscript VAR structures to be freed to trigger the access violation; a partial garbage collection may not produce a crash, meaning the vulnerability could be silently exploited without an obvious crash signal.
  • ·The vulnerability is in jscript.dll (legacy scripting engine), not jscript9.dll (Chakra); detections scoped only to modern IE/Edge scripting engines may miss this.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
vulncheck7.5HIGH
cisa7.5HIGH
vendor_msrc6.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.