CVE-2020-10663
Published: 28 April 2020
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
ruby-json Launchpad, Ubuntu, Debian |
xenial |
Needs triage
|
| impish |
Not vulnerable
|
|
| focal |
Not vulnerable
(2.3.0+dfsg-1build1)
|
|
| hirsute |
Not vulnerable
|
|
| kinetic |
Not vulnerable
|
|
| lunar |
Not vulnerable
|
|
| bionic |
Needs triage
|
|
| eoan |
Ignored
(end of life)
|
|
| groovy |
Not vulnerable
|
|
| jammy |
Not vulnerable
|
|
| trusty |
Needs triage
|
|
| upstream |
Released
(2.3.0+dfsg-1)
|
|
| mantic |
Not vulnerable
|
|
|
ruby2.1 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| groovy |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| mantic |
Does not exist
|
|
|
ruby2.3 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Released
(2.3.1-2~ubuntu16.04.15)
|
|
| hirsute |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| groovy |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| mantic |
Does not exist
|
|
|
ruby2.5 Launchpad, Ubuntu, Debian |
eoan |
Ignored
(end of life)
|
| focal |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| bionic |
Released
(2.5.1-1ubuntu1.8)
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| groovy |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
| mantic |
Does not exist
|
|
|
Patches: upstream: https://github.com/ruby/ruby/commit/b379ecd8b6832dfcd5dad353b6bfd41701e2d678 (2.5.8) |
||
|
ruby2.7 Launchpad, Ubuntu, Debian |
hirsute |
Not vulnerable
(2.7.2-4)
|
| focal |
Not vulnerable
(2.7.0-5ubuntu1.2)
|
|
| bionic |
Does not exist
|
|
| eoan |
Does not exist
|
|
| groovy |
Not vulnerable
(2.7.1-3ubuntu1.1)
|
|
| impish |
Not vulnerable
(2.7.2-4)
|
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
(debian: Fixed before initial upload to Debian)
|
|
| xenial |
Does not exist
|
|
|
Patches: upstream: https://github.com/ruby/ruby/commit/36e9ed7fef6eb2d14becf6c52452e4ab16e4bf01 (2.6.6) |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.5 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | High |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |