A flaw was found in rubygem-json. While parsing certain JSON documents, the json gem (including the one bundled with Ruby) can be coerced into creating arbitrary objects in the target system. This is the same issue as CVE-2013-0269.

Mitigation

To mitigate this vulnerability, do not supply untrusted user input and/or untrusted strings to the following method calls or utilize code libraries which do so:

JSON(user_input)  
JSON[user_input, nil]  
JSON.parse(user_input, nil)  
JSON::Parser.new(user_input).parse

Also note that JSON.load() should never be given input from unknown sources.

References

bugzilla.redhat.com/show_bug.cgi?id=1827500

nvd.nist.gov/vuln/detail/CVE-2020-10663

www.cve.org/CVERecord?id=CVE-2020-10663

www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663

nessus 58

osv 12

debiancve 2

ubuntucve 2

debian 6

cve 2

openvas 29

github 2

alpinelinux 1

amazon 6

prion 2

veracode 3

freebsd 2

rubygems 3

fedora 5

suse 6

oraclelinux 3

rocky 3

hackerone 1

mageia 1

redhat 13

ibm 3

githubexploit 1

slackware 1

securityvulns 2

threatpost 1

ubuntu 2

cloudfoundry 1

photon 5

almalinux 2

gentoo 1

apple 2

nessus

Rocky Linux 8 : pcs (RLSA-2020:2462)

2022-02-09 00:00:00

FreeBSD : rubygem-json -- Unsafe Objection Creation Vulnerability in JSON (Additional fix) (40194e1c-6d89-11ea-8082-80ee73419af3)

2020-03-26 00:00:00

Amazon Linux AMI : rubygem-json-debuginfo (ALAS-2020-1423)

2020-08-31 00:00:00

osv

CVE-2020-10663

2020-04-28 21:15:11

Unsafe object creation in json RubyGem

2020-07-27 18:08:21

JSON gem has Improper Input Validation vulnerability

2017-10-24 18:33:37

debiancve

CVE-2020-10663

2020-04-28 21:15:00

CVE-2013-0269

2013-02-13 01:55:00

ubuntucve

CVE-2020-10663

2020-04-28 00:00:00

CVE-2013-0269

2013-02-12 00:00:00

debian

[SECURITY] [DLA 2192-1] ruby2.1 security update

2020-04-30 22:01:47

[SECURITY] [DLA 215-1] libjson-ruby security update

2015-04-30 16:34:41

[SECURITY] [DLA 2190-1] ruby-json security update

2020-04-28 08:12:45

cve

CVE-2020-10663

2020-04-28 21:15:00

CVE-2013-0269

2013-02-13 01:55:00

openvas

Huawei EulerOS: Security Advisory for ruby (EulerOS-SA-2020-1686)

2020-06-16 00:00:00

Debian: Security Advisory (DLA-2192-1)

2020-05-01 00:00:00

Huawei EulerOS: Security Advisory for ruby (EulerOS-SA-2020-1691)

2020-06-26 00:00:00

github

Unsafe object creation in json RubyGem

2020-07-27 18:08:21

JSON gem has Improper Input Validation vulnerability

2017-10-24 18:33:37

alpinelinux

CVE-2020-10663

2020-04-28 21:15:00

amazon

Medium: ruby19, ruby21

2020-08-26 23:10:00

Medium: rubygem-json

2020-08-26 23:09:00

Medium: ruby

2021-05-20 16:29:00

prion

Design/Logic Flaw

2020-04-28 21:15:00

Sql injection

2013-02-13 01:55:00

veracode

Denial Of Service (DoS)

2020-03-23 03:14:43

Arbitrary Code Execution

2019-05-02 04:44:25

Input Validation Bypass

2019-05-02 04:44:16

freebsd

rubygem-json -- Unsafe Objection Creation Vulnerability in JSON (Additional fix)

2020-03-19 00:00:00

Ruby -- Denial of Service and Unsafe Object Creation Vulnerability in JSON

2013-02-11 00:00:00

rubygems

json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix)

2020-03-18 21:00:00

Unsafe Object Creation Vulnerability in JSON (Additional fix)

2020-03-18 21:00:00

CVE-2013-0269 rubygem-json: Denial of Service and SQL Injection

2013-02-11 20:00:00

fedora

[SECURITY] Fedora 18 Update: rubygem-json-1.6.8-1.fc18

2013-03-05 23:31:15

[SECURITY] Fedora 17 Update: rubygem-json-1.6.8-1.fc17

2013-03-05 23:33:55

[SECURITY] Fedora 31 Update: rubygem-json-2.2.0-202.fc31

2020-05-03 04:55:27

suse

Security update for rubygem-json_pure (important)

2013-04-09 19:04:58

Security update for rubygem-json_pure (important)

2013-04-03 20:08:23

Security update for rubygem-extlib (important)

2013-04-03 20:10:37

oraclelinux

pcs security update

2020-06-12 00:00:00

ruby:2.5 security, bug fix, and enhancement update

2021-07-02 00:00:00

ruby:2.6 security, bug fix, and enhancement update

2021-07-07 00:00:00

rocky

pcs security and bug fix update

2021-07-22 18:18:27

ruby:2.5 security, bug fix, and enhancement update

2021-06-29 13:58:20

ruby:2.6 security, bug fix, and enhancement update

2021-06-29 13:58:40

hackerone

Ruby: Variant of CVE-2013-0269 (Denial of Service and Unsafe Object Creation Vulnerability in JSON)

2019-10-03 05:19:48

mageia

Updated ruby-json packages fix security vulnerability

2020-05-05 15:20:37

redhat

(RHSA-2020:2462) Moderate: pcs security and bug fix update

2020-06-10 08:54:00

(RHSA-2020:2473) Moderate: pcs security and bug fix update

2020-06-10 09:17:23

(RHSA-2020:2670) Moderate: pcs security and bug fix update

2020-06-23 12:35:01

ibm

Security Bulletin: IBM Sterling Global Mailbox vulnerable to security bypass due to Apache Zookeeper (CVE-2020-10663)

2023-01-04 06:11:50

Security Bulletin: Multiple security vulnerabilities affect IBM Cloud Foundry Migration Runtime

2021-10-13 14:44:47

Security Bulletin: Multiple Vulnerabilities in CloudPak for Watson AIOPs

2023-01-26 10:16:23

githubexploit

Exploit for Improper Input Validation in Json Project Json

2020-03-24 09:53:23

slackware

ruby

2013-03-16 01:11:53

securityvulns

Ruby multiple security vulnerabilities

2013-02-24 00:00:00

[USN-1733-1] Ruby vulnerabilities

2013-02-24 00:00:00

threatpost

Ruby on Rails Patches DoS, Remote Execution Flaws

2013-02-13 17:51:57

ubuntu

Ruby vulnerabilities

2013-02-21 00:00:00

Ruby vulnerabilities

2021-03-18 00:00:00

cloudfoundry

USN-4882-1: Ruby vulnerabilities | Cloud Foundry

2021-04-14 00:00:00

photon

Important Photon OS Security Update - PHSA-2020-0089

2020-05-13 00:00:00

Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2020-1.0-0294

2020-05-14 00:00:00

Important Photon OS Security Update - PHSA-2020-3.0-0089

2020-05-13 00:00:00

almalinux

Moderate: ruby:2.5 security, bug fix, and enhancement update

2021-06-29 13:58:20

Moderate: ruby:2.6 security, bug fix, and enhancement update

2021-06-29 13:58:40

gentoo

Ruby: Denial of service

2014-12-13 00:00:00

apple

About the security content of macOS Big Sur 11.0.1 - Apple Support

2021-02-18 06:14:03

About the security content of macOS Big Sur 11.0.1

2020-11-12 00:00:00

Products

Security Intelligence
Non-intrusive assessment
Developers SDK
Windows scanner
Linux scanner
Perimeter control tool
MSSP

Database

Vulnerabilities
Exploits
IOC
Security News
BugBounty
Popular
Wild Exploited
Top Vulnerabilities

Tools

Linux Security Scanner
API integration
Subscriptions
Plugins
Manual Audit

Learn More

Stats
API
Docs
Api-keys
License
Pricing
Glossary
FAQ

Company

Blog
Contacts
About Us
OpenSource
EULA
Brand Guideline
Privacy Policy

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply. All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please contact us. Using Vulners services you are accepting Vulners services end-user license agreement

@2024 Vulners Inc

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.019 Low

EPSS

Percentile

88.3%

JSON

Related for RH:CVE-2020-10663