Unsafe Object Creation Vulnerability in JSON (Additional fix)


When parsing certain JSON documents, the json gem (including the one bundled with Ruby) can be coerced into creating arbitrary objects in the target system. This is the same issue as CVE-2013-0269. The previous fix was incomplete, which addressed `JSON.parse(user_input)`, but didn’t address some other styles of JSON parsing including `JSON(user_input)` and `JSON.parse(user_input, nil)`. See CVE-2013-0269 in detail. Note that the issue was exploitable to cause a Denial of Service by creating many garbage-uncollectable Symbol objects, but this kind of attack is no longer valid because Symbol objects are now garbage-collectable. However, creating arbitrary objects may cause severe security consequences depending upon the application code. Please update the json gem to version 2.3.0 or later. You can use `gem update json` to update it. If you are using bundler, please add `gem "json", ">= 2.3.0"` to your Gemfile

Affected Software

CPE Name Name Version
ruby 2.4.9
ruby 2.5.0
ruby 2.5.7
ruby 2.6.0
ruby 2.6.5
ruby 2.7.0
ruby 2.7.1