CVE-2018-8355 : A remote code execution vulnerability exists in the way the scripting engine han

A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers, aka "Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore, Internet Explorer 11, Microsoft Edge. This CVE ID is unique from CVE-2018-8353, CVE-2018-8359, CVE-2018-8371, CVE-2018-8372, CVE-2018-8373, CVE-2018-8385, CVE-2018-8389, CVE-2018-8390.

Published 2018-08-15 17:29:06

Updated 2020-08-24 17:37:01

Source Microsoft Corporation

View at NVD, CVE.org

Vulnerability category: Memory CorruptionExecute code

Products affected by CVE-2018-8355

Microsoft » Internet Explorer » Version: 11
cpe:2.3:a:microsoft:internet_explorer:11:*:*:*:*:*:*:*
Matching versions
When used together with: Microsoft » Windows 10 » Version: N/A
When used together with: Microsoft » Windows 10 » Version: 1607
When used together with: Microsoft » Windows 10 » Version: 1703
When used together with: Microsoft » Windows 10 » Version: 1709
When used together with: Microsoft » Windows 10 » Version: 1803
When used together with: Microsoft » Windows 7 » Update SP1
When used together with: Microsoft » Windows 8.1
When used together with: Microsoft » Windows Rt 8.1
When used together with: Microsoft » Windows Server 2008 » Version: R2 Update SP1
When used together with: Microsoft » Windows Server 2012 » Version: R2
When used together with: Microsoft » Windows Server 2016 » Version: N/A
Microsoft » Edge » Version: N/A
cpe:2.3:a:microsoft:edge:-:*:*:*:*:*:*:*
Matching versions
When used together with: Microsoft » Windows 10
When used together with: Microsoft » Windows 10 » Version: 1607
When used together with: Microsoft » Windows 10 » Version: 1703
When used together with: Microsoft » Windows 10 » Version: 1709
When used together with: Microsoft » Windows 10 » Version: 1803
Microsoft » Chakracore » Version: N/A
cpe:2.3:a:microsoft:chakracore:-:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2018-8355

EPSS FAQ

78.64%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 99 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2018-8355

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.6	HIGH	AV:N/AC:H/Au:N/C:C/I:C/A:C	4.9	10.0	NIST
Access Vector: Network Access Complexity: High Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
7.5	HIGH	CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H	1.6	5.9	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2018-8355

CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2018-8355

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8355

CVE-2018-8355 | Scripting Engine Memory Corruption Vulnerability
Patch;Vendor Advisory
http://www.securitytracker.com/id/1041457

Microsoft Edge Multiple Bugs Let Remote Users Execute Arbitrary Code, Obtain Potentially Sensitive Information, Gain Elevated Privileges, and Bypass Security Restrictions on the Target System - Securi
Third Party Advisory;VDB Entry

CVEs referencing this url
http://www.securityfocus.com/bid/104978

Microsoft Internet Explorer and Edge CVE-2018-8355 Remote Memory Corruption Vulnerability
Third Party Advisory;VDB Entry
https://www.exploit-db.com/exploits/45432/

Microsoft Edge Chakra JIT - 'localeCompare' Type Confusion
Exploit;Third Party Advisory;VDB Entry

Jump to

Vulnerability Details : CVE-2018-8355

Products affected by CVE-2018-8355

Exploit prediction scoring system (EPSS) score for CVE-2018-8355

CVSS scores for CVE-2018-8355

CWE ids for CVE-2018-8355

References for CVE-2018-8355