Sha256: 1710e08dfbbf963f29bd681febc5aedf9365ec215ebdb0a7b492bd9af95108a8

Contents?: true

Size: 757 Bytes

Versions: 3

Compression:

Stored size: 757 Bytes

Contents

---
engine: ruby
cve: 2017-14064
url: https://www.ruby-lang.org/en/news/2017/09/14/json-heap-exposure-cve-2017-14064/
title: Heap exposure vulnerability in generating JSON
date: 2017-09-14
description: |
  There is a heap exposure vulnerability in JSON bundled by Ruby.

  The generate method of JSON module optionally accepts an instance of
  JSON::Ext::Generator::State class. If a malicious instance is passed, the
  result may include contents of heap.  All users running an affected release
  should either upgrade or use one of the workarounds immediately.

  The JSON library is also distributed as a gem. If you can’t upgrade Ruby
  itself, install JSON gem newer than version 2.0.4.
patched_versions:
  - "~> 2.2.8"
  - "~> 2.3.5"
  - ">= 2.4.2"

Version data entries

3 entries across 3 versions & 2 rubygems

Version Path
bundler-audit-0.7.0.1 data/ruby-advisory-db/rubies/ruby/CVE-2017-14064.yml
bundler-budit-0.6.2 data/ruby-advisory-db/rubies/ruby/CVE-2017-14064.yml
bundler-budit-0.6.1 data/ruby-advisory-db/rubies/ruby/CVE-2017-14064.yml