Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!Close

CVE-2020-10663

Published: 28 April 2020

The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.

Priority

Medium

Cvss 3 Severity Score

7.5

Score breakdown

Status

Package Release Status
ruby-json
Launchpad, Ubuntu, Debian
xenial Needs triage

impish Not vulnerable

focal Not vulnerable
(2.3.0+dfsg-1build1)
hirsute Not vulnerable

kinetic Not vulnerable

lunar Not vulnerable

bionic Needs triage

eoan Ignored
(end of life)
groovy Not vulnerable

jammy Not vulnerable

trusty Needs triage

upstream
Released (2.3.0+dfsg-1)
mantic Not vulnerable

ruby2.1
Launchpad, Ubuntu, Debian
bionic Does not exist

eoan Does not exist

focal Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

hirsute Does not exist

kinetic Does not exist

lunar Does not exist

groovy Does not exist

impish Does not exist

jammy Does not exist

mantic Does not exist

ruby2.3
Launchpad, Ubuntu, Debian
bionic Does not exist

eoan Does not exist

focal Does not exist

trusty Does not exist

upstream Needs triage

xenial
Released (2.3.1-2~ubuntu16.04.15)
hirsute Does not exist

kinetic Does not exist

lunar Does not exist

groovy Does not exist

impish Does not exist

jammy Does not exist

mantic Does not exist

ruby2.5
Launchpad, Ubuntu, Debian
eoan Ignored
(end of life)
focal Does not exist

hirsute Does not exist

bionic
Released (2.5.1-1ubuntu1.8)
kinetic Does not exist

lunar Does not exist

groovy Does not exist

impish Does not exist

jammy Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

mantic Does not exist

Patches:
upstream: https://github.com/ruby/ruby/commit/b379ecd8b6832dfcd5dad353b6bfd41701e2d678 (2.5.8)

ruby2.7
Launchpad, Ubuntu, Debian
hirsute Not vulnerable
(2.7.2-4)
focal Not vulnerable
(2.7.0-5ubuntu1.2)
bionic Does not exist

eoan Does not exist

groovy Not vulnerable
(2.7.1-3ubuntu1.1)
impish Not vulnerable
(2.7.2-4)
trusty Does not exist

upstream Not vulnerable
(debian: Fixed before initial upload to Debian)
xenial Does not exist

Patches:

upstream: https://github.com/ruby/ruby/commit/36e9ed7fef6eb2d14becf6c52452e4ab16e4bf01 (2.6.6)

Severity score breakdown

Parameter Value
Base score 7.5
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact High
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N