CVE-2020-25739

Published: 23 September 2020

An issue was discovered in the gon gem before gon-6.4.0 for Ruby. MultiJson does not honor the escape_mode parameter to escape fields as an XSS protection mechanism. To mitigate, json_dumper.rb in gon now does escaping for XSS by default without relying on MultiJson.

From the Ubuntu security team

It was discovered that Gon gem did not properly escape certain input. An attacker could use this vulnerability to execute a cross-site scripting (XSS) attack.

Priority

Medium

CVSS 3 base score: 6.1

Status

Package Release Status
ruby-gon
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(6.4.0-1)
Ubuntu 20.10 (Groovy Gorilla) Needed

Ubuntu 20.04 LTS (Focal Fossa) Needed

Ubuntu 18.04 LTS (Bionic Beaver)
Released (6.1.0-1+deb9u1build0.18.04.1)
Ubuntu 16.04 LTS (Xenial Xerus) Needed

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Ubuntu 12.04 ESM (Precise Pangolin) Does not exist