Vulnerability Description
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Json Project | Json | <= 2.2.0 |
| Ruby-Lang | Ruby | >= 2.4.0, <= 2.4.9 |
| Fedoraproject | Fedora | 30 |
| Opensuse | Leap | 15.1 |
| Debian | Debian Linux | 8.0 |
| Apple | Macos | 11.0.1 |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00004.htmlMailing ListThird Party Advisory
- http://seclists.org/fulldisclosure/2020/Dec/32Mailing ListThird Party Advisory
- https://lists.apache.org/thread.html/r37c0e1807da7ff2bdd028bbe296465a6bbb99e2320
- https://lists.apache.org/thread.html/r3b04f4e99a19613f88ae088aa18cd271231a3c79df
- https://lists.apache.org/thread.html/r5f17bfca1d6e7f4b33ae978725b2fd62a9f1b31116
- https://lists.apache.org/thread.html/r8d2e174230f6d26e16c007546e804c343f1f68956f
- https://lists.apache.org/thread.html/rb023d54a46da1ac0d8969097f5fecc79636b07d3b8
- https://lists.apache.org/thread.html/rb2b981912446a74e14fe6076c4b7c7d8502727ea07
- https://lists.apache.org/thread.html/rd9b9cc843f5cf5b532bdad9e87a817967efcf52b91
- https://lists.apache.org/thread.html/rec8bb4d637b04575da41cfae49118e108e95d43bfa
- https://lists.apache.org/thread.html/ree3abcd33c06ee95ab59faa1751198a1186d8941dd
- https://lists.debian.org/debian-lts-announce/2020/04/msg00030.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
FAQ
What is CVE-2020-10663?
CVE-2020-10663 is a vulnerability with a CVSS score of 7.5 (HIGH). The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, b...
How severe is CVE-2020-10663?
CVE-2020-10663 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-10663?
Check the references section above for vendor advisories and patch information. Affected products include: Json Project Json, Ruby-Lang Ruby, Fedoraproject Fedora, Opensuse Leap, Debian Debian Linux.