CVE-2020-14163 – This CVE describes a use-after-free vulnerabili... (How to Fix)

Q: What is the severity of CVE-2020-14163?

CVE-2020-14163 has a CVSS score of 7.5 (HIGH). This CVE describes a use-after-free vulnerability in JerryScript's garbage collector that can lead to memory corruption. Attackers could exploit this to cause denial of service, information disclosure, or potentially execute arbitrary code. This affects systems running applications that use vulnerable versions of the JerryScript JavaScript engine.

📋 TL;DR

This CVE describes a use-after-free vulnerability in JerryScript's garbage collector that can lead to memory corruption. Attackers could exploit this to cause denial of service, information disclosure, or potentially execute arbitrary code. This affects systems running applications that use vulnerable versions of the JerryScript JavaScript engine.

💻 Affected Systems

Products:

JerryScript JavaScript engine

Versions: JerryScript 2.2.0 and potentially earlier versions

Operating Systems: All operating systems running JerryScript

Default Config Vulnerable: ⚠️ Yes

Notes: JerryScript is commonly used in embedded systems, IoT devices, and resource-constrained environments. Any application using the vulnerable JerryScript version is affected.

📦 What is this software?

Jerryscript by Jerryscript

View all CVEs affecting Jerryscript →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or persistent backdoor installation.

🟠

Likely Case

Application crash causing denial of service, memory corruption leading to information disclosure, or limited code execution within the JavaScript engine context.

🟢

If Mitigated

Application instability or crashes without data compromise if proper sandboxing and memory protections are in place.

🌐 Internet-Facing: MEDIUM - Exploitation requires the attacker to supply malicious JavaScript to the vulnerable engine, which could occur through web applications or IoT device interfaces.

🏢 Internal Only: LOW - Most JerryScript deployments are in embedded systems or IoT devices rather than traditional enterprise applications.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting specific JavaScript to trigger the garbage collection timing issue. No public exploit code has been identified, but the vulnerability is well-documented in the source code commits.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: JerryScript after commit c2b662170245a16f46ce02eae68815c325d99821

Vendor Advisory: https://github.com/jerryscript-project/jerryscript/commit/c2b662170245a16f46ce02eae68815c325d99821

Restart Required: Yes

Instructions:

1. Update JerryScript to version after commit c2b662170245a16f46ce02eae68815c325d99821. 2. Recompile any applications using JerryScript with the updated library. 3. Restart affected services or devices.

🔧 Temporary Workarounds

Disable JavaScript execution

all

If JerryScript functionality is not essential, disable JavaScript execution in affected applications

Application-specific configuration

Memory protection hardening

linux

Enable ASLR and other memory protection mechanisms to reduce exploit impact

echo 2 > /proc/sys/kernel/randomize_va_space
sysctl -w kernel.exec-shield=1

🧯 If You Can't Patch

Isolate affected systems in network segments with strict access controls
Implement application allowlisting to prevent unauthorized JavaScript execution

🔍 How to Verify

Check if Vulnerable:

Check JerryScript version: jerry --version or examine library files for version 2.2.0

Check Version:

jerry --version 2>/dev/null || strings /path/to/jerryscript/library | grep -i version

Verify Fix Applied:

Verify JerryScript version is after commit c2b662170245a16f46ce02eae68815c325d99821

📡 Detection & Monitoring

Log Indicators:

Application crashes with segmentation faults
Memory access violation errors
Unexpected garbage collection behavior

Network Indicators:

Unusual JavaScript payloads sent to embedded devices
Traffic patterns targeting JerryScript interfaces

SIEM Query:

source="application.log" AND ("segmentation fault" OR "memory violation" OR "jerryscript")

📊 Metadata

CVE ID: CVE-2020-14163

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-125

Published: June 15, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/jerryscript-project/jerryscript/commit/c2b662170245a16f46ce02eae68815c325d99821 Patch,Vendor Advisory
https://github.com/jerryscript-project/jerryscript/issues/3804 Third Party Advisory
https://github.com/jerryscript-project/jerryscript/commit/c2b662170245a16f46ce02eae68815c325d99821 Patch,Vendor Advisory
https://github.com/jerryscript-project/jerryscript/issues/3804 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-14163, you might also want to check these: