CVE-2020-10663
Published: 28 April 2020
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.
Priority
CVSS 3 base score: 7.5
Status
Package | Release | Status |
---|---|---|
ruby-json Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
eoan |
Ignored
(reached end-of-life)
|
|
focal |
Not vulnerable
(2.3.0+dfsg-1build1)
|
|
groovy |
Not vulnerable
|
|
hirsute |
Not vulnerable
|
|
impish |
Not vulnerable
|
|
jammy |
Not vulnerable
|
|
kinetic |
Not vulnerable
|
|
precise |
Does not exist
|
|
trusty |
Needs triage
|
|
upstream |
Released
(2.3.0+dfsg-1)
|
|
xenial |
Needs triage
|
|
ruby2.1 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
ruby2.3 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Released
(2.3.1-2~ubuntu16.04.15)
|
|
ruby2.5 Launchpad, Ubuntu, Debian |
bionic |
Released
(2.5.1-1ubuntu1.8)
|
eoan |
Ignored
(reached end-of-life)
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
Patches: upstream: https://github.com/ruby/ruby/commit/b379ecd8b6832dfcd5dad353b6bfd41701e2d678 (2.5.8) |
||
ruby2.7 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
eoan |
Does not exist
|
|
focal |
Not vulnerable
(2.7.0-5ubuntu1.2)
|
|
groovy |
Not vulnerable
(2.7.1-3ubuntu1.1)
|
|
hirsute |
Not vulnerable
(2.7.2-4)
|
|
impish |
Not vulnerable
(2.7.2-4)
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Not vulnerable
(debian: Fixed before initial upload to Debian)
|
|
xenial |
Does not exist
|
|
Patches: upstream: https://github.com/ruby/ruby/commit/36e9ed7fef6eb2d14becf6c52452e4ab16e4bf01 (2.6.6) |