There is an unsafe object creation vulnerability in the json gem bundled with
Ruby. This vulnerability has been assigned the CVE identifier CVE-2020-10663.
We strongly recommend upgrading the json gem.

Details

When parsing certain JSON documents, the json gem (including the one bundled
with Ruby) can be coerced into creating arbitrary objects in the target system.

This is the same issue as CVE-2013-0269. The previous fix was incomplete, which
addressed JSON.parse(user_input), but didn’t address some other styles of JSON
parsing including JSON(user_input) and JSON.parse(user_input, nil).

See CVE-2013-0269 in detail. Note that the issue was exploitable to cause a
Denial of Service by creating many garbage-uncollectable Symbol objects, but
this kind of attack is no longer valid because Symbol objects are now
garbage-collectable. However, creating arbitrary objects may cause severe
security consequences depending upon the application code.

CPENameOperatorVersion
jsonlt2.3.0

CPE	Name	Operator	Version
	json	lt	2.3.0

References

www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/

nessus 58

alpinelinux 1

amazon 6

redhatcve 1

osv 12

ubuntucve 2

debiancve 2

debian 6

cve 2

openvas 29

github 2

veracode 3

prion 2

freebsd 2

fedora 5

oraclelinux 3

rocky 3

suse 6

hackerone 1

redhat 13

githubexploit 1

mageia 1

ibm 3

rubygems 2

slackware 1

securityvulns 2

threatpost 1

ubuntu 2

cloudfoundry 1

photon 5

almalinux 2

gentoo 1

apple 2

nessus

Rocky Linux 8 : pcs (RLSA-2020:2462)

2022-02-09 00:00:00

FreeBSD : rubygem-json -- Unsafe Objection Creation Vulnerability in JSON (Additional fix) (40194e1c-6d89-11ea-8082-80ee73419af3)

2020-03-26 00:00:00

EulerOS 2.0 SP2 : ruby (EulerOS-SA-2020-1686)

2020-06-17 00:00:00

alpinelinux

CVE-2020-10663

2020-04-28 21:15:00

amazon

Medium: ruby19, ruby21

2020-08-26 23:10:00

Medium: rubygem-json

2020-08-26 23:09:00

Medium: ruby

2021-05-20 16:29:00

redhatcve

CVE-2020-10663

2020-04-24 04:33:39

osv

CVE-2020-10663

2020-04-28 21:15:11

Unsafe object creation in json RubyGem

2020-07-27 18:08:21

JSON gem has Improper Input Validation vulnerability

2017-10-24 18:33:37

ubuntucve

CVE-2020-10663

2020-04-28 00:00:00

CVE-2013-0269

2013-02-12 00:00:00

debiancve

CVE-2020-10663

2020-04-28 21:15:00

CVE-2013-0269

2013-02-13 01:55:00

debian

[SECURITY] [DLA 2192-1] ruby2.1 security update

2020-04-30 22:01:47

[SECURITY] [DLA 215-1] libjson-ruby security update

2015-04-30 16:34:41

[SECURITY] [DLA 2190-1] ruby-json security update

2020-04-28 08:12:45

cve

CVE-2020-10663

2020-04-28 21:15:00

CVE-2013-0269

2013-02-13 01:55:00

openvas

Huawei EulerOS: Security Advisory for ruby (EulerOS-SA-2020-1686)

2020-06-16 00:00:00

Debian: Security Advisory (DLA-2192-1)

2020-05-01 00:00:00

Huawei EulerOS: Security Advisory for ruby (EulerOS-SA-2020-1691)

2020-06-26 00:00:00

github

Unsafe object creation in json RubyGem

2020-07-27 18:08:21

JSON gem has Improper Input Validation vulnerability

2017-10-24 18:33:37

veracode

Denial Of Service (DoS)

2020-03-23 03:14:43

Arbitrary Code Execution

2019-05-02 04:44:25

Input Validation Bypass

2019-05-02 04:44:16

prion

Design/Logic Flaw

2020-04-28 21:15:00

Sql injection

2013-02-13 01:55:00

freebsd

rubygem-json -- Unsafe Objection Creation Vulnerability in JSON (Additional fix)

2020-03-19 00:00:00

Ruby -- Denial of Service and Unsafe Object Creation Vulnerability in JSON

2013-02-11 00:00:00

fedora

[SECURITY] Fedora 18 Update: rubygem-json-1.6.8-1.fc18

2013-03-05 23:31:15

[SECURITY] Fedora 17 Update: rubygem-json-1.6.8-1.fc17

2013-03-05 23:33:55

[SECURITY] Fedora 30 Update: rubygem-json-2.2.0-202.fc30

2020-05-03 04:41:34

oraclelinux

pcs security update

2020-06-12 00:00:00

ruby:2.5 security, bug fix, and enhancement update

2021-07-02 00:00:00

ruby:2.6 security, bug fix, and enhancement update

2021-07-07 00:00:00

rocky

pcs security and bug fix update

2021-07-22 18:18:27

ruby:2.5 security, bug fix, and enhancement update

2021-06-29 13:58:20

ruby:2.6 security, bug fix, and enhancement update

2021-06-29 13:58:40

suse

Security update for rubygem-json_pure (important)

2013-04-09 19:04:58

Security update for rubygem-json_pure (important)

2013-04-03 20:08:23

Security update for ruby2.5 (moderate)

2020-05-02 00:00:00

hackerone

Ruby: Variant of CVE-2013-0269 (Denial of Service and Unsafe Object Creation Vulnerability in JSON)

2019-10-03 05:19:48

redhat

(RHSA-2020:2473) Moderate: pcs security and bug fix update

2020-06-10 09:17:23

(RHSA-2020:2670) Moderate: pcs security and bug fix update

2020-06-23 12:35:01

(RHSA-2020:2462) Moderate: pcs security and bug fix update

2020-06-10 08:54:00

githubexploit

Exploit for Improper Input Validation in Json Project Json

2020-03-24 09:53:23

mageia

Updated ruby-json packages fix security vulnerability

2020-05-05 15:20:37

ibm

Security Bulletin: IBM Sterling Global Mailbox vulnerable to security bypass due to Apache Zookeeper (CVE-2020-10663)

2023-01-04 06:11:50

Security Bulletin: Multiple security vulnerabilities affect IBM Cloud Foundry Migration Runtime

2021-10-13 14:44:47

Security Bulletin: Multiple Vulnerabilities in CloudPak for Watson AIOPs

2023-01-26 10:16:23

rubygems

CVE-2013-0269 rubygem-json: Denial of Service and SQL Injection

2013-02-11 20:00:00

Unsafe Object Creation Vulnerability in JSON (Additional fix)

2020-03-18 21:00:00

slackware

ruby

2013-03-16 01:11:53

securityvulns

[USN-1733-1] Ruby vulnerabilities

2013-02-24 00:00:00

Ruby multiple security vulnerabilities

2013-02-24 00:00:00

threatpost

Ruby on Rails Patches DoS, Remote Execution Flaws

2013-02-13 17:51:57

ubuntu

Ruby vulnerabilities

2013-02-21 00:00:00

Ruby vulnerabilities

2021-03-18 00:00:00

cloudfoundry

USN-4882-1: Ruby vulnerabilities | Cloud Foundry

2021-04-14 00:00:00

photon

Important Photon OS Security Update - PHSA-2020-0089

2020-05-13 00:00:00

Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2020-1.0-0294

2020-05-14 00:00:00

Important Photon OS Security Update - PHSA-2020-3.0-0089

2020-05-13 00:00:00

almalinux

Moderate: ruby:2.5 security, bug fix, and enhancement update

2021-06-29 13:58:20

Moderate: ruby:2.6 security, bug fix, and enhancement update

2021-06-29 13:58:40

gentoo

Ruby: Denial of service

2014-12-13 00:00:00

apple

About the security content of macOS Big Sur 11.0.1 - Apple Support

2021-02-18 06:14:03

About the security content of macOS Big Sur 11.0.1

2020-11-12 00:00:00

Products

Security Intelligence
Non-intrusive assessment
Developers SDK
Windows scanner
Linux scanner
Perimeter control tool
MSSP

Database

Vulnerabilities
Exploits
IOC
Security News
BugBounty
Popular
Wild Exploited
Top Vulnerabilities

Tools

Linux Security Scanner
API integration
Subscriptions
Plugins
Manual Audit

Learn More

Stats
API
Docs
Api-keys
License
Pricing
Glossary
FAQ

Company

Blog
Contacts
About Us
OpenSource
EULA
Brand Guideline
Privacy Policy

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply. All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please contact us. Using Vulners services you are accepting Vulners services end-user license agreement

@2024 Vulners Inc

JSON

Related for RUBY:JSON-2020-10663