CVE-2023-36109
Published: 20 September 2023
Summary
CVE-2023-36109 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Jerryscript Jerryscript. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 4.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-36109 is a buffer overflow vulnerability in JerryScript version 3.0 that resides in the ecma_stringbuilder_append_raw function within the file /jerry-core/ecma/base/ecma-helpers-string.c. The flaw is tracked under CWE-120 and carries a CVSS 3.1 score of 9.8, reflecting a network-accessible attack that requires no authentication or user interaction.
Remote, unauthenticated attackers can supply crafted input that triggers the overflow, resulting in arbitrary code execution on the affected system. The vulnerability is exploitable over the network with low attack complexity, allowing an adversary to achieve full control of the process memory and execute attacker-supplied code.
Public references consist of a proof-of-concept repository and an associated issue filed in the JerryScript project tracker; neither source describes patches, workarounds, or mitigation steps. The associated EPSS score stands at 0.2036 with no indicated change from its recorded peak.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-40088
Vulnerability details
Buffer Overflow vulnerability in JerryScript version 3.0, allows remote attackers to execute arbitrary code via ecma_stringbuilder_append_raw component at /jerry-core/ecma/base/ecma-helpers-string.c.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Platform-independent managed code eliminates the need for unchecked native buffer copies that are the root cause of classic buffer overflows.