CVE-2013-0269
published 2013-02-13CVE-2013-0269: The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or…
PriorityP345high7.5CVSS 2.0
AVNACLAuNCPIPAP
EPSS
13.91%
96.1th percentile
The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."
Affected
34 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | macos | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | ruby-json | < ruby-json 2.3.0+dfsg-1 (bookworm) | ruby-json 2.3.0+dfsg-1 (bookworm) |
| debian | ruby-json | < ruby-json 1.7.3-3 (bookworm) | ruby-json 1.7.3-3 (bookworm) |
| debian | ruby2.7 | < ruby-json 2.3.0+dfsg-1 (bookworm) | ruby-json 2.3.0+dfsg-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| joyent | json | >= 0 < 2.3.0 | 2.3.0 |
| joyent | json | >= 0 < 1.5.5 | 1.5.5 |
| joyent | json | >= 1.6.0 < 1.6.8 | 1.6.8 |
| joyent | json | >= 1.7.0 < 1.7.7 | 1.7.7 |
| json_project | json | <= 2.2.0 | — |
| opensuse | leap | — | — |
| rubygems | json_gem | — | — |
| rubygems | json_gem | — | — |
| rubygems | json_gem | — | — |
| rubygems | json_gem | — | — |
| rubygems | json_gem | — | — |
| rubygems | json_gem | — | — |
| rubygems | json_gem | — | — |
| rubygems | json_gem | — | — |
| rubygems | json_gem | — | — |
| rubygems | json_gem | — | — |
| rubygems | json_gem | — | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa7.5HIGH
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Unsafe object creation in json RubyGem
osv·2020-07-27·CVSS 7.5
CVE-2020-10663 [HIGH] Unsafe object creation in json RubyGem
Unsafe object creation in json RubyGem
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269/GHSA-x457-cw4h-hq5f, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.
GHSA
Unsafe object creation in json RubyGem
ghsa·2020-07-27·CVSS 7.5
CVE-2020-10663 [HIGH] CWE-20 Unsafe object creation in json RubyGem
Unsafe object creation in json RubyGem
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269/GHSA-x457-cw4h-hq5f, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.
OSV
CVE-2020-10663: The JSON gem through 2
osv·2020-04-28·CVSS 7.5
CVE-2020-10663 [HIGH] CVE-2020-10663: The JSON gem through 2
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.
OSV
JSON gem has Improper Input Validation vulnerability
osv·2017-10-24
CVE-2013-0269 [HIGH] JSON gem has Improper Input Validation vulnerability
JSON gem has Improper Input Validation vulnerability
The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."
GHSA
JSON gem has Improper Input Validation vulnerability
ghsa·2017-10-24
CVE-2013-0269 [HIGH] CWE-20 JSON gem has Improper Input Validation vulnerability
JSON gem has Improper Input Validation vulnerability
The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."
OSV
CVE-2013-0269: The JSON gem before 1
osv·2013-02-13·CVSS 7.5
CVE-2013-0269 [HIGH] CVE-2013-0269: The JSON gem before 1
The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."
Red Hat
rubygem-json: Unsafe object creation vulnerability in JSON
vendor_redhat·2020-03-19·CVSS 7.5
CVE-2020-10663 [HIGH] CWE-915 rubygem-json: Unsafe object creation vulnerability in JSON
rubygem-json: Unsafe object creation vulnerability in JSON
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.
A flaw was found in rubygem-json. While parsing certain JSON documents, the json gem (including the one bundled with Ruby) can be coerced into creating arbitrary objects in the target system. This is the same issue as CVE-2013-0269.
Statement: Red Hat CloudForms 5 uses vulnerable rubygem-json, however, is not
Debian
CVE-2020-10663: ruby-json - The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 thro...
vendor_debian·2020·CVSS 7.5
CVE-2020-10663 [HIGH] CVE-2020-10663: ruby-json - The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 thro...
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.
Scope: local
bookworm: resolved (fixed in 2.3.0+dfsg-1)
bullseye: resolved (fixed in 2.3.0+dfsg-1)
forky: resolved (fixed in 2.3.0+dfsg-1)
sid: resolved (fixed in 2.3.0+dfsg-1)
trixie: resolved (fixed in 2.3.0+dfsg-1)
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2013-02-21·CVSS 5.0
CVE-2012-5371 [MEDIUM] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in Ruby.
Jean-Philippe Aumasson discovered that Ruby incorrectly generated
predictable hash values. An attacker could use this issue to generate hash
collisions and cause a denial of service. (CVE-2012-5371)
Evgeny Ermakov discovered that documentation generated by rdoc is
vulnerable to a cross-site scripting issue. With cross-site scripting
vulnerabilities, if a user were tricked into viewing a specially crafted
page, a remote attacker could exploit this to modify the contents, or steal
confidential data, within the same domain. (CVE-2013-0256)
Thomas Hollstegge and Ben Murphy discovered that the JSON implementation
in Ruby incorrectly handled certain crafted documents. An attacker could
use this issue to cause a
Red Hat
rubygem-json: Denial of Service and SQL Injection
vendor_redhat·2013-02-11·CVSS 7.5
CVE-2013-0269 [HIGH] CWE-502 rubygem-json: Denial of Service and SQL Injection
rubygem-json: Denial of Service and SQL Injection
The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."
Statement: Red Hat Satellite tools ship RubyGem Json 1.4.6 which is earlier than affected 1.5.5 version however, this version of RubyGem is not affected to the flaw. We may update RubyGem in a future release.
Package: rubygem-json (Red Hat Enterprise MRG 2) - Affected
Package: jruby (Red Hat JBoss SOA Platfor
Debian
CVE-2013-0269: ruby-json - The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby a...
vendor_debian·2013·CVSS 7.5
CVE-2013-0269 [HIGH] CVE-2013-0269: ruby-json - The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby a...
The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."
Scope: local
bookworm: resolved (fixed in 1.7.3-3)
bullseye: resolved (fixed in 1.7.3-3)
forky: resolved (fixed in 1.7.3-3)
sid: resolved (fixed in 1.7.3-3)
trixie: resolved (fixed in 1.7.3-3)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-10663 rubygem-json: Unsafe object creation vulnerability in JSON
bugzilla·2020-04-24·CVSS 7.5
CVE-2020-10663 [HIGH] CVE-2020-10663 rubygem-json: Unsafe object creation vulnerability in JSON
CVE-2020-10663 rubygem-json: Unsafe object creation vulnerability in JSON
In rubygem-json before 2.3.0 there is an unsafe object creation vulnerability. When parsing certain JSON documents, the json gem (including the one bundled with Ruby) can be coerced into creating arbitrary objects in the target system. This is the same issue as CVE-2013-0269.
References:
https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/
Discussion:
Created jruby tracking bugs for this issue:
Affects: fedora-all [bug 1827506]
Created ruby tracking bugs for this issue:
Affects: fedora-all [bug 1827505]
Created ruby:2.5/ruby tracking bugs for this issue:
Affects: fedora-all [bug 1827503]
Created ruby:2.6/ruby tracking bugs for this issue:
Affects: fedora-all [bug 1827504]
Created rub
HackerOne
Variant of CVE-2013-0269 (Denial of Service and Unsafe Object Creation Vulnerability in JSON)
hackerone·2020-04-23·CVSS 7.5
CVE-2013-0269 [HIGH] Variant of CVE-2013-0269 (Denial of Service and Unsafe Object Creation Vulnerability in JSON)
Variant of CVE-2013-0269 (Denial of Service and Unsafe Object Creation Vulnerability in JSON)
During my recent keyword argument separation work on `rb_scan_args` in the master branch, I discovered what I now think is a vulnerability.
While the CVE-2013-0269 change fixed most usage of `JSON.parse`, it ended up not fixing `Kernel#JSON`. The reason behind this is that internally, in `JSON::Parser#initialize` (in `cParser_initialize` in `ext/json/parser/parser.c`), there is a separate branch taken depending on whether an option hash was provided. The fix for CVE-2013-026 only fixed one of these branches (when a option hash is provided). It did not fix the other branch (when no option hash is provided).
`Kernel#JSON` is able to easily hit the case where no option hash is provided, because it
Bugzilla
CVE-2013-0269 CVE-2013-1821 JRuby 1.7.2 multiple security flaws [fedora-rawhide]
bugzilla·2013-06-13·CVSS 7.5
CVE-2013-0269 [HIGH] CVE-2013-0269 CVE-2013-1821 JRuby 1.7.2 multiple security flaws [fedora-rawhide]
CVE-2013-0269 CVE-2013-1821 JRuby 1.7.2 multiple security flaws [fedora-rawhide]
Fedora has jruby 1.7.2 which contains known CVEs and fixed in version 1.7.3 http://www.jruby.org/2013/02/21/jruby-1-7-3.html . Meantime 1.7.4 is released and it's probably best to update to it directly.
Discussion:
Thanks for this, Alexander. The two CVEs that are corrected are CVE-2013-0269 and CVE-2013-1821. I'm going to link those bugs and turn this into a tracking bug. I've looked on the upstream page and can't see anything about 1.6.x being affected by these, but it wouldn't surprise me if they were, so this may be an issue for Fedora 17 and 18 as well (unknown).
---
This bug appears to have been reported against 'rawhide' during the Fedora 20 development cycle.
Changing version to '20'.
More inform
Bugzilla
CVE-2013-0269 rubygem-json: Denial of Service and SQL Injection [fedora-all]
bugzilla·2013-02-12·CVSS 7.5
CVE-2013-0269 [HIGH] CVE-2013-0269 rubygem-json: Denial of Service and SQL Injection [fedora-all]
CVE-2013-0269 rubygem-json: Denial of Service and SQL Injection [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue affe
Bugzilla
CVE-2013-0269 rubygem-json: Denial of Service and SQL Injection [epel-all]
bugzilla·2013-02-12·CVSS 7.5
CVE-2013-0269 [HIGH] CVE-2013-0269 rubygem-json: Denial of Service and SQL Injection [epel-all]
CVE-2013-0269 rubygem-json: Denial of Service and SQL Injection [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue a
Bugzilla
CVE-2013-0269 rubygem-json: Denial of Service and SQL Injection [fedora-all]
bugzilla·2013-02-12·CVSS 7.5
CVE-2013-0269 [HIGH] CVE-2013-0269 rubygem-json: Denial of Service and SQL Injection [fedora-all]
CVE-2013-0269 rubygem-json: Denial of Service and SQL Injection [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue affe
Bugzilla
CVE-2013-0269 rubygem-json: Denial of Service and SQL Injection
bugzilla·2013-02-08·CVSS 7.5
CVE-2013-0269 [HIGH] CVE-2013-0269 rubygem-json: Denial of Service and SQL Injection
CVE-2013-0269 rubygem-json: Denial of Service and SQL Injection
Aaron Patterson of Ruby on Rails project reports:
Denial of Service and Unsafe Object Creation Vulnerability in JSON
There is a denial of service and unsafe object creation vulnerability in the
json gem. This vulnerability has been assigned the CVE identifier
CVE-2013-0269.
Versions Affected: All. This includes JSON that ships with Ruby 1.9.X-pXXX
Not affected: NONE
Fixed Versions: 1.7.7, 1.6.8, 1.5.5
Impact
When parsing certain JSON documents, the JSON gem can be coerced in to
creating Ruby symbols in a target system. Since Ruby symbols are not garbage
collected, this can result in a denial of service attack.
The same technique can be used to create objects in a target system that act
like internal objects. These "act
http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-04/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.htmlhttp://lists.opensuse.org/opensuse-updates/2013-04/msg00034.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0686.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0701.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1028.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1147.htmlhttp://secunia.com/advisories/52075http://secunia.com/advisories/52774http://secunia.com/advisories/52902http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixedhttp://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/http://www.openwall.com/lists/oss-security/2013/02/11/7http://www.openwall.com/lists/oss-security/2013/02/11/8http://www.osvdb.org/90074http://www.securityfocus.com/bid/57899http://www.slackware.com/security/viewer.php?l=slackware-security&y=2013&m=slackware-security.426862http://www.ubuntu.com/usn/USN-1733-1http://www.zweitag.de/en/blog/ruby-on-rails-vulnerable-to-mass-assignment-and-sql-injectionhttps://exchange.xforce.ibmcloud.com/vulnerabilities/82010https://groups.google.com/group/rubyonrails-security/msg/d8e0db6e08c81428?dmode=source&output=gplainhttps://puppet.com/security/cve/cve-2013-0269http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-04/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.htmlhttp://lists.opensuse.org/opensuse-updates/2013-04/msg00034.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0686.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0701.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1028.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1147.htmlhttp://secunia.com/advisories/52075http://secunia.com/advisories/52774http://secunia.com/advisories/52902http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixedhttp://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/http://www.openwall.com/lists/oss-security/2013/02/11/7http://www.openwall.com/lists/oss-security/2013/02/11/8http://www.osvdb.org/90074http://www.securityfocus.com/bid/57899http://www.slackware.com/security/viewer.php?l=slackware-security&y=2013&m=slackware-security.426862http://www.ubuntu.com/usn/USN-1733-1http://www.zweitag.de/en/blog/ruby-on-rails-vulnerable-to-mass-assignment-and-sql-injectionhttps://exchange.xforce.ibmcloud.com/vulnerabilities/82010https://groups.google.com/group/rubyonrails-security/msg/d8e0db6e08c81428?dmode=source&output=gplainhttps://puppet.com/security/cve/cve-2013-0269
2013-02-13
Published