CVE-2020-10663 Information

Feb 14, 2021 cve

Description

The JSON gem through 2.2.0 for Ruby as used in Ruby 2.4 through 2.4.9 2.5 through 2.5.7 and 2.6 through 2.6.5 has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269 but does not rely on poor garbage-collection behavior within Ruby. Specifically use of JSON parsing methods can lead to creation of a malicious object within the interpreter with adverse effects that are application-dependent.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Reference

http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00004.html https://lists.apache.org/thread.html/r5f17bfca1d6e7f4b33ae978725b2fd62a9f1b3111696eafa9add802d@3Cissues.zookeeper.apache.org3E https://lists.apache.org/thread.html/r8d2e174230f6d26e16c007546e804c343f1f68956f526daaafa4aaae@3Cdev.zookeeper.apache.org3E https://lists.apache.org/thread.html/rb023d54a46da1ac0d8969097f5fecc79636b07d3b80db7b818a5c55c@3Cissues.zookeeper.apache.org3E https://lists.apache.org/thread.html/rb2b981912446a74e14fe6076c4b7c7d8502727ea0718e6a65a9b1be5@3Cissues.zookeeper.apache.org3E https://lists.apache.org/thread.html/rd9b9cc843f5cf5b532bdad9e87a817967efcf52b917e8c43b6df4cc7@3Cissues.zookeeper.apache.org3E https://lists.apache.org/thread.html/ree3abcd33c06ee95ab59faa1751198a1186d8941ddc2c2562c12966c@3Cissues.zookeeper.apache.org3E https://lists.debian.org/debian-lts-announce/2020/04/msg00030.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7QL6MJD2BO4IRJ5CJFNMCDYMQQFT24BJ/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F4TNVTT66VPRMX5UZYSDGSVRXKKDDDU5/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NK2PBXWMFRUD7U7Q7LHV4KYLYID77RI4/ https://support.apple.com/kb/HT211931 https://www.debian.org/security/2020/dsa-4721 https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

HIGH

Base Score

NONE

Base Severity

7.5

Share on: