Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWpwaGctcXdydy03dzln
Unsafe object creation in json RubyGem
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269/GHSA-x457-cw4h-hq5f, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.
Permalink: https://github.com/advisories/GHSA-jphg-qwrw-7w9gJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWpwaGctcXdydy03dzln
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 4 years ago
Updated: over 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Percentage: 0.00415
EPSS Percentile: 0.73729
Identifiers: GHSA-jphg-qwrw-7w9g, CVE-2020-10663
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-10663
- https://github.com/flori/json/blob/master/CHANGES.md#2019-12-11-230
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/json/CVE-2020-10663.yml
- https://lists.debian.org/debian-lts-announce/2020/04/msg00030.html
- https://lists.fedoraproject.org/archives/list/[email protected]/message/7QL6MJD2BO4IRJ5CJFNMCDYMQQFT24BJ/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/F4TNVTT66VPRMX5UZYSDGSVRXKKDDDU5/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/NK2PBXWMFRUD7U7Q7LHV4KYLYID77RI4/
- https://www.debian.org/security/2020/dsa-4721
- https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00004.html
- https://lists.apache.org/thread.html/r8d2e174230f6d26e16c007546e804c343f1f68956f526daaafa4aaae@%3Cdev.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rd9b9cc843f5cf5b532bdad9e87a817967efcf52b917e8c43b6df4cc7@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/ree3abcd33c06ee95ab59faa1751198a1186d8941ddc2c2562c12966c@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r5f17bfca1d6e7f4b33ae978725b2fd62a9f1b3111696eafa9add802d@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rb023d54a46da1ac0d8969097f5fecc79636b07d3b80db7b818a5c55c@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rb2b981912446a74e14fe6076c4b7c7d8502727ea0718e6a65a9b1be5@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rec8bb4d637b04575da41cfae49118e108e95d43bfac39b7b698ee4db@%3Cissues.zookeeper.apache.org%3E
- https://support.apple.com/kb/HT211931
- http://seclists.org/fulldisclosure/2020/Dec/32
- https://security.netapp.com/advisory/ntap-20210129-0003/
- https://lists.apache.org/thread.html/r37c0e1807da7ff2bdd028bbe296465a6bbb99e2320dbe661d5d8b33b@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r3b04f4e99a19613f88ae088aa18cd271231a3c79dfff8f5efa8cda61@%3Cissues.zookeeper.apache.org%3E
- https://github.com/advisories/GHSA-jphg-qwrw-7w9g
Blast Radius: 43.8
Affected Packages
rubygems:json
Dependent packages: 8,430Dependent repositories: 698,810
Downloads: 925,770,699 total
Affected Version Ranges: < 2.3.0
Fixed in: 2.3.0
All affected versions: 0.4.0, 0.4.1, 0.4.2, 0.4.3, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.5, 1.8.6, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0, 2.2.0
All unaffected versions: 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.8.0, 2.8.1, 2.8.2, 2.9.0, 2.9.1