CVE-2020-10663: Unsafe Object Creation Vulnerability in JSON (Additional fix)

9 months ago - Direct link

There is an unsafe object creation vulnerability in the json gem bundled with Ruby. This vulnerability has been assigned the CVE identifier CVE-2020-10663. We strongly recommend upgrading the json gem.

Details

When parsing certain JSON documents, the json gem (including the one bundled with Ruby) can be coerced into creating arbitrary objects in the target system.

This is the same issue as CVE-2013-0269. The previous fix was incomplete, which addressed JSON.parse(user_input), but didn’t address some other styles of JSON parsing including JSON(user_input) and JSON.parse(user_input, nil).

See ...


Go to article →

Links in this thread

CVE - CVE-2020-10663
Common Vulnerabilities and Exposures (CVE®) is a list of entries — each containing an identification number, a description, and at least one public reference — for publicly known cybersecurity vulnerabilities. Assigned by CVE Numbering Authorities (CNAs) from around the world, use of CVE Entries ensures confidence among parties when used to discuss or share information about a unique software vulnerability, provides a baseline for tool evaluation, and enables data exchange for cybersecurity automation.


Denial of Service and Unsafe Object Creation Vulnerability in JSON (CVE-2013-0269)
There is a denial of service and unsafe object creation vulnerability in the json bundled with ruby. This vulnerability has been assigned the CVE identifier CVE-2013-0269. We strongly recommend to upgrade ruby.