CVE-2020-10663

CVSS v3.1 7.5 (High)

CVSS v2.0 5 (Medium)

EPSS 0.44 % (75^th)

Affected Products 6

Advisories 27

The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.

Weaknesses

CWE-20: Improper Input Validation

Related CVEs

CVE-2013-0269

CVE Status: PUBLISHED
CNA: MITRE
Published Date: 2020-04-28 21:15:11
(4 years ago)
Updated Date: 2023-11-07 03:14:11
(10 months ago)

Affected Products

Configuration #1

AND

		CPE23	From	Up To
OR
	Json Project Json for Ruby 2.2.0 and prior versions	cpe:2.3:a:json_project:json::::::ruby		<= 2.2.0
OR
	Running on/with
	Ruby-lang Ruby from 2.4.0 version and 2.4.9 and prior versions	cpe:2.3:a:ruby-lang:ruby	>= 2.4.0	<= 2.4.9
OR
	Running on/with
	Ruby-lang Ruby from 2.5.0 version and 2.5.7 and prior versions	cpe:2.3:a:ruby-lang:ruby	>= 2.5.0	<= 2.5.7
OR
	Running on/with
	Ruby-lang Ruby from 2.6.0 version and 2.6.5 and prior versions	cpe:2.3:a:ruby-lang:ruby	>= 2.6.0	<= 2.6.5

Configuration #2

		CPE23	From	Up To
	Fedoraproject Fedora 30	cpe:2.3:o:fedoraproject:fedora:30
	Fedoraproject Fedora 31	cpe:2.3:o:fedoraproject:fedora:31

Configuration #3

		CPE23	From	Up To
	Opensuse Leap 15.1	cpe:2.3:o:opensuse:leap:15.1

Configuration #4

		CPE23	From	Up To
	Debian Linux 8.0	cpe:2.3:o:debian:debian_linux:8.0
	Debian Linux 10.0	cpe:2.3:o:debian:debian_linux:10.0

Configuration #5

		CPE23	From	Up To
	Apple Macos 11.0.1	cpe:2.3:o:apple:macos:11.0.1

Weaknesses

Related CVEs

Affected Products

Apple

Debian

Fedoraproject

Json Project

Opensuse

Ruby-lang

Configuration #1

Configuration #2

Configuration #3

Configuration #4

Configuration #5