Buffer overflow in JerryScript - CVE-2020-14163

 

Buffer overflow in JerryScript - CVE-2020-14163

Published: June 15, 2020 / Updated: August 8, 2020


Vulnerability identifier: #VU34253
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-14163
CWE-ID: CWE-119
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: JerryScript
Affected software:
JerryScript

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

An issue was discovered in ecma/operations/ecma-container-object.c in JerryScript 2.2.0. Operations with key/value pairs did not consider the case where garbage collection is triggered after the key operation but before the value operation, as demonstrated by improper read access to memory in ecma_gc_set_object_visited in ecma/base/ecma-gc.c.


How to mitigate CVE-2020-14163

Install update from vendor's website.

Sources