CVE-2020-10663
published 2020-04-28CVE-2020-10663: The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability…
PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
6.81%
93.2th percentile
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | macos | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | ruby-json | < ruby-json 2.3.0+dfsg-1 (bookworm) | ruby-json 2.3.0+dfsg-1 (bookworm) |
| debian | ruby2.7 | < ruby-json 2.3.0+dfsg-1 (bookworm) | ruby-json 2.3.0+dfsg-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| joyent | json | >= 0 < 2.3.0 | 2.3.0 |
| json_project | json | <= 2.2.0 | — |
| opensuse | leap | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
ghsa7.5HIGH
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
ruby2.3, ruby2.5, ruby2.7 vulnerabilities
osv·2021-03-18·CVSS 7.5
CVE-2020-10663 [HIGH] ruby2.3, ruby2.5, ruby2.7 vulnerabilities
ruby2.3, ruby2.5, ruby2.7 vulnerabilities
It was discovered that the Ruby JSON gem incorrectly handled certain JSON
files. If a user or automated system were tricked into parsing a specially
crafted JSON file, a remote attacker could use this issue to execute
arbitrary code. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04
LTS. (CVE-2020-10663)
It was discovered that Ruby incorrectly handled certain socket memory
operations. A remote attacker could possibly use this issue to obtain
sensitive information. This issue only affected Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. (CVE-2020-10933)
It was discovered that Ruby incorrectly handled certain transfer-encoding
headers when using Webrick. A remote attacker could possibly use this issue
to bypass a reverse proxy. (CVE-2020-25613)
OSV
Unsafe object creation in json RubyGem
osv·2020-07-27·CVSS 7.5
CVE-2020-10663 [HIGH] Unsafe object creation in json RubyGem
Unsafe object creation in json RubyGem
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269/GHSA-x457-cw4h-hq5f, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.
GHSA
Unsafe object creation in json RubyGem
ghsa·2020-07-27·CVSS 7.5
CVE-2020-10663 [HIGH] CWE-20 Unsafe object creation in json RubyGem
Unsafe object creation in json RubyGem
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269/GHSA-x457-cw4h-hq5f, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.
OSV
CVE-2020-10663: The JSON gem through 2
osv·2020-04-28·CVSS 7.5
CVE-2020-10663 [HIGH] CVE-2020-10663: The JSON gem through 2
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2021-03-18·CVSS 7.5
CVE-2020-10663 [HIGH] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in Ruby.
It was discovered that the Ruby JSON gem incorrectly handled certain JSON
files. If a user or automated system were tricked into parsing a specially
crafted JSON file, a remote attacker could use this issue to execute
arbitrary code. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04
LTS. (CVE-2020-10663)
It was discovered that Ruby incorrectly handled certain socket memory
operations. A remote attacker could possibly use this issue to obtain
sensitive information. This issue only affected Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. (CVE-2020-10933)
It was discovered that Ruby incorrectly handled certain transfer-encoding
headers when using Webrick. A remote attacker could possibly use this issue
to byp
Red Hat
rubygem-json: Unsafe object creation vulnerability in JSON
vendor_redhat·2020-03-19·CVSS 7.5
CVE-2020-10663 [HIGH] CWE-915 rubygem-json: Unsafe object creation vulnerability in JSON
rubygem-json: Unsafe object creation vulnerability in JSON
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.
A flaw was found in rubygem-json. While parsing certain JSON documents, the json gem (including the one bundled with Ruby) can be coerced into creating arbitrary objects in the target system. This is the same issue as CVE-2013-0269.
Statement: Red Hat CloudForms 5 uses vulnerable rubygem-json, however, is not
Debian
CVE-2020-10663: ruby-json - The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 thro...
vendor_debian·2020·CVSS 7.5
CVE-2020-10663 [HIGH] CVE-2020-10663: ruby-json - The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 thro...
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.
Scope: local
bookworm: resolved (fixed in 2.3.0+dfsg-1)
bullseye: resolved (fixed in 2.3.0+dfsg-1)
forky: resolved (fixed in 2.3.0+dfsg-1)
sid: resolved (fixed in 2.3.0+dfsg-1)
trixie: resolved (fixed in 2.3.0+dfsg-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-10663 rubygem-json: Unsafe Object Creation Vulnerability in JSON [epel-6]
bugzilla·2020-04-24·CVSS 7.5
CVE-2020-10663 [HIGH] CVE-2020-10663 rubygem-json: Unsafe Object Creation Vulnerability in JSON [epel-6]
CVE-2020-10663 rubygem-json: Unsafe Object Creation Vulnerability in JSON [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-6.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to for the
Bugzilla
CVE-2020-10663 jruby: rubygem-json: Unsafe Object Creation Vulnerability in JSON [fedora-all]
bugzilla·2020-04-24·CVSS 7.5
CVE-2020-10663 [HIGH] CVE-2020-10663 jruby: rubygem-json: Unsafe Object Creation Vulnerability in JSON [fedora-all]
CVE-2020-10663 jruby: rubygem-json: Unsafe Object Creation Vulnerability in JSON [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple su
Bugzilla
CVE-2020-10663 rubygem-json: Unsafe object creation vulnerability in JSON
bugzilla·2020-04-24·CVSS 7.5
CVE-2020-10663 [HIGH] CVE-2020-10663 rubygem-json: Unsafe object creation vulnerability in JSON
CVE-2020-10663 rubygem-json: Unsafe object creation vulnerability in JSON
In rubygem-json before 2.3.0 there is an unsafe object creation vulnerability. When parsing certain JSON documents, the json gem (including the one bundled with Ruby) can be coerced into creating arbitrary objects in the target system. This is the same issue as CVE-2013-0269.
References:
https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/
Discussion:
Created jruby tracking bugs for this issue:
Affects: fedora-all [bug 1827506]
Created ruby tracking bugs for this issue:
Affects: fedora-all [bug 1827505]
Created ruby:2.5/ruby tracking bugs for this issue:
Affects: fedora-all [bug 1827503]
Created ruby:2.6/ruby tracking bugs for this issue:
Affects: fedora-all [bug 1827504]
Created rub
Bugzilla
CVE-2020-10663 ruby: rubygem-json: Unsafe Object Creation Vulnerability in JSON [fedora-all]
bugzilla·2020-04-24·CVSS 7.5
CVE-2020-10663 [HIGH] CVE-2020-10663 ruby: rubygem-json: Unsafe Object Creation Vulnerability in JSON [fedora-all]
CVE-2020-10663 ruby: rubygem-json: Unsafe Object Creation Vulnerability in JSON [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple sup
Bugzilla
CVE-2020-10663 ruby:2.5/ruby: rubygem-json: Unsafe Object Creation Vulnerability in JSON [fedora-all]
bugzilla·2020-04-24·CVSS 7.5
CVE-2020-10663 [HIGH] CVE-2020-10663 ruby:2.5/ruby: rubygem-json: Unsafe Object Creation Vulnerability in JSON [fedora-all]
CVE-2020-10663 ruby:2.5/ruby: rubygem-json: Unsafe Object Creation Vulnerability in JSON [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects mul
Bugzilla
CVE-2020-10663 ruby:2.6/ruby: rubygem-json: Unsafe Object Creation Vulnerability in JSON [fedora-all]
bugzilla·2020-04-24·CVSS 7.5
CVE-2020-10663 [HIGH] CVE-2020-10663 ruby:2.6/ruby: rubygem-json: Unsafe Object Creation Vulnerability in JSON [fedora-all]
CVE-2020-10663 ruby:2.6/ruby: rubygem-json: Unsafe Object Creation Vulnerability in JSON [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects mul
Bugzilla
CVE-2020-10663 rubygem-json: Unsafe Object Creation Vulnerability in JSON [fedora-all]
bugzilla·2020-04-24·CVSS 7.5
CVE-2020-10663 [HIGH] CVE-2020-10663 rubygem-json: Unsafe Object Creation Vulnerability in JSON [fedora-all]
CVE-2020-10663 rubygem-json: Unsafe Object Creation Vulnerability in JSON [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported
Bugzilla
CVE-2013-0269 rubygem-json: Denial of Service and SQL Injection
bugzilla·2013-02-08·CVSS 7.5
CVE-2013-0269 [HIGH] CVE-2013-0269 rubygem-json: Denial of Service and SQL Injection
CVE-2013-0269 rubygem-json: Denial of Service and SQL Injection
Aaron Patterson of Ruby on Rails project reports:
Denial of Service and Unsafe Object Creation Vulnerability in JSON
There is a denial of service and unsafe object creation vulnerability in the
json gem. This vulnerability has been assigned the CVE identifier
CVE-2013-0269.
Versions Affected: All. This includes JSON that ships with Ruby 1.9.X-pXXX
Not affected: NONE
Fixed Versions: 1.7.7, 1.6.8, 1.5.5
Impact
When parsing certain JSON documents, the JSON gem can be coerced in to
creating Ruby symbols in a target system. Since Ruby symbols are not garbage
collected, this can result in a denial of service attack.
The same technique can be used to create objects in a target system that act
like internal objects. These "act
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00004.htmlhttp://seclists.org/fulldisclosure/2020/Dec/32https://lists.apache.org/thread.html/r37c0e1807da7ff2bdd028bbe296465a6bbb99e2320dbe661d5d8b33b%40%3Cissues.zookeeper.apache.org%3Ehttps://lists.apache.org/thread.html/r3b04f4e99a19613f88ae088aa18cd271231a3c79dfff8f5efa8cda61%40%3Cissues.zookeeper.apache.org%3Ehttps://lists.apache.org/thread.html/r5f17bfca1d6e7f4b33ae978725b2fd62a9f1b3111696eafa9add802d%40%3Cissues.zookeeper.apache.org%3Ehttps://lists.apache.org/thread.html/r8d2e174230f6d26e16c007546e804c343f1f68956f526daaafa4aaae%40%3Cdev.zookeeper.apache.org%3Ehttps://lists.apache.org/thread.html/rb023d54a46da1ac0d8969097f5fecc79636b07d3b80db7b818a5c55c%40%3Cissues.zookeeper.apache.org%3Ehttps://lists.apache.org/thread.html/rb2b981912446a74e14fe6076c4b7c7d8502727ea0718e6a65a9b1be5%40%3Cissues.zookeeper.apache.org%3Ehttps://lists.apache.org/thread.html/rd9b9cc843f5cf5b532bdad9e87a817967efcf52b917e8c43b6df4cc7%40%3Cissues.zookeeper.apache.org%3Ehttps://lists.apache.org/thread.html/rec8bb4d637b04575da41cfae49118e108e95d43bfac39b7b698ee4db%40%3Cissues.zookeeper.apache.org%3Ehttps://lists.apache.org/thread.html/ree3abcd33c06ee95ab59faa1751198a1186d8941ddc2c2562c12966c%40%3Cissues.zookeeper.apache.org%3Ehttps://lists.debian.org/debian-lts-announce/2020/04/msg00030.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7QL6MJD2BO4IRJ5CJFNMCDYMQQFT24BJ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F4TNVTT66VPRMX5UZYSDGSVRXKKDDDU5/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NK2PBXWMFRUD7U7Q7LHV4KYLYID77RI4/https://security.netapp.com/advisory/ntap-20210129-0003/https://support.apple.com/kb/HT211931https://www.debian.org/security/2020/dsa-4721https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00004.htmlhttp://seclists.org/fulldisclosure/2020/Dec/32https://lists.apache.org/thread.html/r37c0e1807da7ff2bdd028bbe296465a6bbb99e2320dbe661d5d8b33b%40%3Cissues.zookeeper.apache.org%3Ehttps://lists.apache.org/thread.html/r3b04f4e99a19613f88ae088aa18cd271231a3c79dfff8f5efa8cda61%40%3Cissues.zookeeper.apache.org%3Ehttps://lists.apache.org/thread.html/r5f17bfca1d6e7f4b33ae978725b2fd62a9f1b3111696eafa9add802d%40%3Cissues.zookeeper.apache.org%3Ehttps://lists.apache.org/thread.html/r8d2e174230f6d26e16c007546e804c343f1f68956f526daaafa4aaae%40%3Cdev.zookeeper.apache.org%3Ehttps://lists.apache.org/thread.html/rb023d54a46da1ac0d8969097f5fecc79636b07d3b80db7b818a5c55c%40%3Cissues.zookeeper.apache.org%3Ehttps://lists.apache.org/thread.html/rb2b981912446a74e14fe6076c4b7c7d8502727ea0718e6a65a9b1be5%40%3Cissues.zookeeper.apache.org%3Ehttps://lists.apache.org/thread.html/rd9b9cc843f5cf5b532bdad9e87a817967efcf52b917e8c43b6df4cc7%40%3Cissues.zookeeper.apache.org%3Ehttps://lists.apache.org/thread.html/rec8bb4d637b04575da41cfae49118e108e95d43bfac39b7b698ee4db%40%3Cissues.zookeeper.apache.org%3Ehttps://lists.apache.org/thread.html/ree3abcd33c06ee95ab59faa1751198a1186d8941ddc2c2562c12966c%40%3Cissues.zookeeper.apache.org%3Ehttps://lists.debian.org/debian-lts-announce/2020/04/msg00030.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7QL6MJD2BO4IRJ5CJFNMCDYMQQFT24BJ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F4TNVTT66VPRMX5UZYSDGSVRXKKDDDU5/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NK2PBXWMFRUD7U7Q7LHV4KYLYID77RI4/https://security.netapp.com/advisory/ntap-20210129-0003/https://support.apple.com/kb/HT211931https://www.debian.org/security/2020/dsa-4721https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/
2020-04-28
Published