Login Sign Up

CVE-2020-23313

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2020-23313 is a reachable assertion vulnerability in JerryScript's scanner_literal_is_created function that can cause denial of service through application crashes. This affects systems running JerryScript 2.2.0, which is an embedded JavaScript engine commonly used in IoT devices and resource-constrained environments.

💻 Affected Systems

Products:
  • JerryScript
Versions: Version 2.2.0
Operating Systems: All platforms running JerryScript
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects JerryScript 2.2.0 specifically. Earlier and later versions are not vulnerable.

📦 What is this software?

Jerryscript by Jerryscript

View all CVEs affecting Jerryscript →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if combined with other vulnerabilities, though this specific CVE primarily causes crashes.

🟠

Likely Case

Denial of service through application crashes when processing malicious JavaScript input.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing in place.

🌐 Internet-Facing: MEDIUM - Exploitation requires sending malicious JavaScript to vulnerable systems, but many JerryScript deployments are in IoT devices with limited attack surfaces.
🏢 Internal Only: LOW - Most JerryScript deployments are in embedded systems with limited network exposure.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof of concept available in GitHub issue. Exploitation requires ability to inject JavaScript into JerryScript engine.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 2.2.0 (2.3.0 and later)

Vendor Advisory: https://github.com/jerryscript-project/jerryscript/issues/3823

Restart Required: Yes

Instructions:

1. Upgrade JerryScript to version 2.3.0 or later. 2. Recompile any applications using JerryScript. 3. Restart affected services or devices.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation for JavaScript code processed by JerryScript

Memory limit restrictions

all

Configure memory limits to prevent exploitation attempts from causing system-wide impact

🧯 If You Can't Patch

  • Isolate JerryScript instances in containers or sandboxes to limit blast radius
  • Implement network segmentation to restrict access to vulnerable systems

🔍 How to Verify

Check if Vulnerable:

Check JerryScript version: grep -r 'JERRYSCRIPT_VERSION' in source code or check compiled binary version

Check Version:

jerry --version (if available) or check build configuration

Verify Fix Applied:

Verify JerryScript version is 2.3.0 or later and test with known malicious input from GitHub issue

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with JerryScript assertion failures
  • Error messages containing 'js-scanner-util.c:2510'

Network Indicators:

  • Unusual JavaScript payloads sent to embedded devices
  • Repeated connection attempts to JerryScript endpoints

SIEM Query:

source="*jerry*" AND ("assertion failed" OR "js-scanner-util.c:2510")

📊 Metadata

CVE ID: CVE-2020-23313
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-617
Published: June 10, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-23313, you might also want to check these:

CVE-2023-37015 8.6

This vulnerability allows remote attackers to cause denial of service by sending malformed ASN.1 pac...

Same vulnerability type (CWE-617)
CVE-2023-37016 8.6

CVE-2023-37016 is a remotely triggerable assertion vulnerability in Open5GS MME that allows denial o...

Same vulnerability type (CWE-617)
CVE-2023-37017 8.6

Open5GS MME versions up to 2.6.4 contain a remotely triggerable assertion via malformed ASN.1 packet...

Same vulnerability type (CWE-617)