Sha256: 199f31931c3630a1f71037d21044c23c61d811a559b2629875ba9864eb6389d6
Contents?: true
Size: 1.33 KB
Versions: 1
Compression:
Stored size: 1.33 KB
Contents
---
gem: json
cve: 2020-10663
url: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/
title: json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix)
date: 2020-03-19
description: |
There is an unsafe object creation vulnerability in the json gem bundled with
Ruby. This vulnerability has been assigned the CVE identifier CVE-2020-10663.
We strongly recommend upgrading the json gem.
Details
-------
When parsing certain JSON documents, the json gem (including the one bundled
with Ruby) can be coerced into creating arbitrary objects in the target system.
This is the same issue as CVE-2013-0269. The previous fix was incomplete, which
addressed JSON.parse(user_input), but didn’t address some other styles of JSON
parsing including JSON(user_input) and JSON.parse(user_input, nil).
See CVE-2013-0269 in detail. Note that the issue was exploitable to cause a
Denial of Service by creating many garbage-uncollectable Symbol objects, but
this kind of attack is no longer valid because Symbol objects are now
garbage-collectable. However, creating arbitrary objects may cause severe
security consequences depending upon the application code.
patched_versions:
- ">= 2.3.0"
related:
cve:
- 2013-0269
url:
- https://groups.google.com/forum/#!topic/ruby-security-ann/ermX1eQqqKA
Version data entries
1 entries across 1 versions & 1 rubygems
| Version | Path |
|---|---|
| bundler-audit-0.7.0.1 | data/ruby-advisory-db/gems/json/CVE-2020-10663.yml |