Lucene search

K
freebsdFreeBSDC79EB109-A754-45D7-B552-A42099EB2265
HistoryFeb 11, 2013 - 12:00 a.m.

Ruby -- Denial of Service and Unsafe Object Creation Vulnerability in JSON

2013-02-1100:00:00
vuxml.freebsd.org
22

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.019 Low

EPSS

Percentile

88.2%

Aaron Patterson reports:

When parsing certain JSON documents, the JSON gem can be coerced in
to creating Ruby symbols in a target system. Since Ruby symbols
are not garbage collected, this can result in a denial of service
attack.
The same technique can be used to create objects in a target system
that act like internal objects. These “act alike” objects can be
used to bypass certain security mechanisms and can be used as a
spring board for SQL injection attacks in Ruby on Rails.

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.019 Low

EPSS

Percentile

88.2%