CVE ID: CVE-2019-9197
Type: Remote Code Execution
Discovered By: rgod of 9sg Security Team - email@example.com working with Trend Micro’s Zero Day Initiative
Patch Availability: 2019/03/04
Affected Operating System: Windows
Affected Versions: All (Windows)
-  2019.2.0a7 (Win), size= 795,664bytes, md5=6fcde1045cc4af7f84ba4f820f5db868
-  2019.1.0b5 (Win), size= 696,212 kB, md5: d2ec9e0dc974adfd0e465ffe2e3f1c23
-  2018.3.7f1 (Win), size=570,279kB, md5=6fcde1045cc4af7f84ba4f820f5db868
-  2018.2.21f1 (Win), size=580,009kB, md5=1b87b98c936c81148a99c879386e676c
-  2017.4.22f1 (Win), size=527,486kB, md5=8cb0783f22dc5bfc80d2f170472aefbf
-  5.6.7f1 (Win), size=554,855kB, md5=d761d8c151007ce2474ddc9d468abc02
An input string validation issue was identified in the Unity Editor affecting the Windows platform that could lead to Remote Code Execution (RCE), allowing an attacker to potentially execute code remotely in the user’s computer.
Open a Unity project.
The Unity version is visible in the main window title.
In the File menu choose Help -> About Unity.
The Unity version is shown in the About Unity window.
If your version of the Unity Editor is not one of the listed in the Patch Versions of the Vulnerabilities Details section above you can continue with the update installation as follows.
To install the update you can use the Unity Editor update checker available in the File menu Help -> Check for Updates.
Additionally, you can download and install the corresponding patch for your version of the Unity Editor. The download links are available in the Patch Versions of the Vulnerabilities Details section and in the References section.
If your version of the Unity Editor is not listed, or you are unable to install the update at this time, you can use the Mitigation Tool Guide .
Please keep in mind the recommended action is to install a fixed version of the Unity Editor.