CVE-2021-46346 in JerryScriptinfo

Summary

by MITRE • 01/21/2022

There is an Assertion 'local_tza == ecma_date_local_time_zone_adjustment (date_value)' failed at /jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c(ecma_builtin_date_prototype_dispatch_set):421 in JerryScript 3.0.0.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 01/26/2022

This vulnerability exists within the JerryScript JavaScript engine version 3.0.0, specifically in the date prototype dispatch set functionality. The assertion failure occurs at line 421 in the file ecma-builtin-date-prototype.c, where the engine attempts to validate that local_tza equals the result of ecma_date_local_time_zone_adjustment function. This represents a critical runtime error that could potentially lead to denial of service or arbitrary code execution depending on how the assertion failure is handled by the JavaScript engine. The vulnerability stems from improper validation of timezone adjustments during date manipulation operations, indicating a fundamental flaw in the date object's internal state management.

The technical flaw manifests when the JavaScript engine processes date operations that involve timezone adjustments, particularly in the context of date prototype methods such as setHours, setMinutes, setSeconds, or setMilliseconds. The assertion failure suggests that the local timezone adjustment value does not match the expected computed value from the timezone adjustment function, pointing to a potential inconsistency in how the engine calculates or caches timezone information. This type of assertion failure typically indicates that the engine has encountered an unexpected state that violates its internal assumptions, which could be exploited by malicious actors to trigger undefined behavior or bypass security checks.

From an operational impact perspective, this vulnerability could enable attackers to cause the JavaScript engine to crash or behave unpredictably when processing specific date-related operations. The vulnerability is particularly concerning because it occurs in a core engine component that handles date manipulation, which is frequently used in web applications, server-side JavaScript environments, and embedded systems. Depending on the execution context, this could lead to denial of service attacks against web applications or potentially allow for more sophisticated exploitation if the assertion failure is not properly handled and could be leveraged to corrupt memory or execute arbitrary code. The vulnerability affects systems that rely on JerryScript for JavaScript execution, particularly embedded devices, IoT applications, or any system where JerryScript serves as the JavaScript engine.

The vulnerability can be classified under CWE-254 as a "Security Feature Missing" or potentially CWE-611 as "Improper Restriction of XML External Entity Reference" if the date operations involve external data processing, though the primary classification relates to the assertion failure in the date handling code. In terms of ATT&CK framework mapping, this vulnerability aligns with T1210 "Exploitation of Remote Services" and T1499.004 "Endpoint Denial of Service" as it could be leveraged to cause service disruption or system instability. The attack surface is broad since any application using JerryScript 3.0.0 that processes date operations could be affected, including web browsers, embedded systems, or IoT devices that utilize JerryScript for scripting capabilities. Organizations should consider implementing input validation and sanitization for date-related operations, along with regular updates to JerryScript to ensure the vulnerability is patched. Additionally, monitoring for assertion failures or unexpected crashes during date processing operations could help identify exploitation attempts. The most effective mitigation strategy involves upgrading to a patched version of JerryScript where the assertion failure has been properly addressed through either fixing the underlying timezone calculation logic or implementing proper error handling for the assertion condition.

Reservation

01/18/2022

Disclosure

01/21/2022

Moderation

accepted

CPE

ready

EPSS

0.00644

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!