7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.019 Low
EPSS
Percentile
88.2%
Aaron Patterson reports:
When parsing certain JSON documents, the JSON gem can be coerced in
to creating Ruby symbols in a target system. Since Ruby symbols
are not garbage collected, this can result in a denial of service
attack.
The same technique can be used to create objects in a target system
that act like internal objects. These “act alike” objects can be
used to bypass certain security mechanisms and can be used as a
spring board for SQL injection attacks in Ruby on Rails.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
FreeBSD | any | noarch | ruby | = 1.9,1 | UNKNOWN |
FreeBSD | any | noarch | ruby | < 1.9.3.385,1 | UNKNOWN |
FreeBSD | any | noarch | rubygem18-json | < 1.7.7 | UNKNOWN |
FreeBSD | any | noarch | rubygem19-json | < 1.7.7 | UNKNOWN |
FreeBSD | any | noarch | rubygem18-json_pure | < 1.7.7 | UNKNOWN |
FreeBSD | any | noarch | rubygem19-json_pure | < 1.7.7 | UNKNOWN |