logo
DATABASE RESOURCES PRICING ABOUT US

Medium: ruby

Description

**Issue Overview:** The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent. (CVE-2020-10663) An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack. (CVE-2020-25613) **Affected Packages:** ruby **Issue Correction:** Run _yum update ruby_ to update your system. **New Packages:** aarch64:     ruby-2.0.0.648-36.amzn2.0.2.aarch64     ruby-devel-2.0.0.648-36.amzn2.0.2.aarch64     ruby-libs-2.0.0.648-36.amzn2.0.2.aarch64     rubygem-bigdecimal-1.2.0-36.amzn2.0.2.aarch64     rubygem-io-console-0.4.2-36.amzn2.0.2.aarch64     rubygem-json-1.7.7-36.amzn2.0.2.aarch64     rubygem-psych-2.0.0-36.amzn2.0.2.aarch64     ruby-tcltk-2.0.0.648-36.amzn2.0.2.aarch64     ruby-debuginfo-2.0.0.648-36.amzn2.0.2.aarch64 i686:     ruby-2.0.0.648-36.amzn2.0.2.i686     ruby-devel-2.0.0.648-36.amzn2.0.2.i686     ruby-libs-2.0.0.648-36.amzn2.0.2.i686     rubygem-bigdecimal-1.2.0-36.amzn2.0.2.i686     rubygem-io-console-0.4.2-36.amzn2.0.2.i686     rubygem-json-1.7.7-36.amzn2.0.2.i686     rubygem-psych-2.0.0-36.amzn2.0.2.i686     ruby-tcltk-2.0.0.648-36.amzn2.0.2.i686     ruby-debuginfo-2.0.0.648-36.amzn2.0.2.i686 noarch:     rubygems-2.0.14.1-36.amzn2.0.2.noarch     rubygems-devel-2.0.14.1-36.amzn2.0.2.noarch     rubygem-rake-0.9.6-36.amzn2.0.2.noarch     ruby-irb-2.0.0.648-36.amzn2.0.2.noarch     rubygem-rdoc-4.0.0-36.amzn2.0.2.noarch     ruby-doc-2.0.0.648-36.amzn2.0.2.noarch     rubygem-minitest-4.3.2-36.amzn2.0.2.noarch src:     ruby-2.0.0.648-36.amzn2.0.2.src x86_64:     ruby-2.0.0.648-36.amzn2.0.2.x86_64     ruby-devel-2.0.0.648-36.amzn2.0.2.x86_64     ruby-libs-2.0.0.648-36.amzn2.0.2.x86_64     rubygem-bigdecimal-1.2.0-36.amzn2.0.2.x86_64     rubygem-io-console-0.4.2-36.amzn2.0.2.x86_64     rubygem-json-1.7.7-36.amzn2.0.2.x86_64     rubygem-psych-2.0.0-36.amzn2.0.2.x86_64     ruby-tcltk-2.0.0.648-36.amzn2.0.2.x86_64     ruby-debuginfo-2.0.0.648-36.amzn2.0.2.x86_64 ### Additional References Red Hat: [CVE-2020-10663](<https://access.redhat.com/security/cve/CVE-2020-10663>), [CVE-2020-25613](<https://access.redhat.com/security/cve/CVE-2020-25613>) Mitre: [CVE-2020-10663](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10663>), [CVE-2020-25613](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25613>)


Affected Package


OS OS Version Package Name Package Version
Amazon Linux 2 ruby 2.0.0.648-36.amzn2.0.2
Amazon Linux 2 ruby-devel 2.0.0.648-36.amzn2.0.2
Amazon Linux 2 ruby-libs 2.0.0.648-36.amzn2.0.2
Amazon Linux 2 rubygem-bigdecimal 1.2.0-36.amzn2.0.2
Amazon Linux 2 rubygem-io-console 0.4.2-36.amzn2.0.2
Amazon Linux 2 rubygem-json 1.7.7-36.amzn2.0.2
Amazon Linux 2 rubygem-psych 2.0.0-36.amzn2.0.2
Amazon Linux 2 ruby-tcltk 2.0.0.648-36.amzn2.0.2
Amazon Linux 2 ruby-debuginfo 2.0.0.648-36.amzn2.0.2
Amazon Linux 2 ruby 2.0.0.648-36.amzn2.0.2
Amazon Linux 2 ruby-devel 2.0.0.648-36.amzn2.0.2
Amazon Linux 2 ruby-libs 2.0.0.648-36.amzn2.0.2
Amazon Linux 2 rubygem-bigdecimal 1.2.0-36.amzn2.0.2
Amazon Linux 2 rubygem-io-console 0.4.2-36.amzn2.0.2
Amazon Linux 2 rubygem-json 1.7.7-36.amzn2.0.2
Amazon Linux 2 rubygem-psych 2.0.0-36.amzn2.0.2
Amazon Linux 2 ruby-tcltk 2.0.0.648-36.amzn2.0.2
Amazon Linux 2 ruby-debuginfo 2.0.0.648-36.amzn2.0.2
Amazon Linux 2 rubygems 2.0.14.1-36.amzn2.0.2
Amazon Linux 2 rubygems-devel 2.0.14.1-36.amzn2.0.2
Amazon Linux 2 rubygem-rake 0.9.6-36.amzn2.0.2
Amazon Linux 2 ruby-irb 2.0.0.648-36.amzn2.0.2
Amazon Linux 2 rubygem-rdoc 4.0.0-36.amzn2.0.2
Amazon Linux 2 ruby-doc 2.0.0.648-36.amzn2.0.2
Amazon Linux 2 rubygem-minitest 4.3.2-36.amzn2.0.2
Amazon Linux 2 ruby 2.0.0.648-36.amzn2.0.2
Amazon Linux 2 ruby 2.0.0.648-36.amzn2.0.2
Amazon Linux 2 ruby-devel 2.0.0.648-36.amzn2.0.2
Amazon Linux 2 ruby-libs 2.0.0.648-36.amzn2.0.2
Amazon Linux 2 rubygem-bigdecimal 1.2.0-36.amzn2.0.2
Amazon Linux 2 rubygem-io-console 0.4.2-36.amzn2.0.2
Amazon Linux 2 rubygem-json 1.7.7-36.amzn2.0.2
Amazon Linux 2 rubygem-psych 2.0.0-36.amzn2.0.2
Amazon Linux 2 ruby-tcltk 2.0.0.648-36.amzn2.0.2
Amazon Linux 2 ruby-debuginfo 2.0.0.648-36.amzn2.0.2

Related