CVE-2020-1037 — ChakraCore Remote Code Execution Vulnerability

Description

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge (HTML-based), aka 'Chakra Scripting Engine Memory Corruption Vulnerability'.

How to fix CVE-2020-1037

To remediate CVE-2020-1037, upgrade the affected package to a fixed version below.

NuGet/Microsoft.ChakraCore—upgrade to 1.11.19 or later

Is CVE-2020-1037 being exploited?

Low — EPSS is 3.8%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.11.19

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-1037
PATCHgithub.com/chakra-core/ChakraCore
WEBgithub.com/chakra-core/ChakraCore/commit/73ced029e6a06fcce9fd8c886dc73e5290f2ae69
WEBgithub.com/chakra-core/ChakraCore/pull/6447