CVE-2020-10663

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.

References

http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00004.html

http://seclists.org/fulldisclosure/2020/Dec/32

https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E

https://lists.debian.org/debian-lts-announce/2020/04/msg00030.html

https://lists.fedoraproject.org/archives/list/[email protected]/message/7QL6MJD2BO4IRJ5CJFNMCDYMQQFT24BJ/

https://lists.fedoraproject.org/archives/list/[email protected]/message/F4TNVTT66VPRMX5UZYSDGSVRXKKDDDU5/

https://lists.fedoraproject.org/archives/list/[email protected]/message/NK2PBXWMFRUD7U7Q7LHV4KYLYID77RI4/

https://security.netapp.com/advisory/ntap-20210129-0003/

https://support.apple.com/kb/HT211931

https://www.debian.org/security/2020/dsa-4721

https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/

Details

Source: MITRE

Published: 2020-04-28

Updated: 2021-04-04

Type: CWE-20

Risk Information

CVSS v2

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3

Base Score: 7.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Impact Score: 3.6

Exploitability Score: 3.9

Severity: HIGH

Tenable Plugins

View all (36 total)

IDNameProductFamilySeverity
151449Oracle Linux 8 : ruby:2.6 (ELSA-2021-2588)NessusOracle Linux Local Security Checks
high
151284Oracle Linux 8 : ruby:2.5 (ELSA-2021-2587)NessusOracle Linux Local Security Checks
high
151147CentOS 8 : ruby:2.5 (CESA-2021:2587)NessusCentOS Local Security Checks
high
151146CentOS 8 : ruby:2.6 (CESA-2021:2588)NessusCentOS Local Security Checks
high
151143RHEL 8 : ruby:2.6 (RHSA-2021:2588)NessusRed Hat Local Security Checks
high
151141RHEL 8 : ruby:2.5 (RHSA-2021:2587)NessusRed Hat Local Security Checks
high
149871Amazon Linux 2 : ruby (ALAS-2021-1641)NessusAmazon Linux Local Security Checks
high
147970Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 : Ruby vulnerabilities (USN-4882-1)NessusUbuntu Local Security Checks
high
145846CentOS 8 : pcs (CESA-2020:2462)NessusCentOS Local Security Checks
high
143115macOS 11.0.x < 11.0.1NessusMacOS X Local Security Checks
high
140906EulerOS 2.0 SP3 : ruby (EulerOS-SA-2020-2139)NessusHuawei Local Security Checks
high
140325EulerOS Virtualization for ARM 64 3.0.2.0 : ruby (EulerOS-SA-2020-1955)NessusHuawei Local Security Checks
medium
140096Amazon Linux AMI : ruby24 (ALAS-2020-1422)NessusAmazon Linux Local Security Checks
high
140094Amazon Linux AMI : ruby19 (ALAS-2020-1426)NessusAmazon Linux Local Security Checks
high
140093Amazon Linux AMI : rubygem-json-debuginfo (ALAS-2020-1423)NessusAmazon Linux Local Security Checks
high
139550Amazon Linux AMI : ruby20 (ALAS-2020-1416)NessusAmazon Linux Local Security Checks
high
138227Debian DSA-4721-1 : ruby2.5 - security updateNessusDebian Local Security Checks
medium
137936EulerOS Virtualization 3.0.6.0 : ruby (EulerOS-SA-2020-1717)NessusHuawei Local Security Checks
high
137831RHEL 8 : pcs (RHSA-2020:2670)NessusRed Hat Local Security Checks
high
137798EulerOS Virtualization for ARM 64 3.0.6.0 : ruby (EulerOS-SA-2020-1691)NessusHuawei Local Security Checks
medium
137599SUSE SLES12 Security Update : ruby2.1 (SUSE-SU-2020:1570-1)NessusSuSE Local Security Checks
high
137528EulerOS 2.0 SP2 : ruby (EulerOS-SA-2020-1686)NessusHuawei Local Security Checks
high
137314RHEL 8 : pcs (RHSA-2020:2473)NessusRed Hat Local Security Checks
high
137310RHEL 8 : pcs (RHSA-2020:2462)NessusRed Hat Local Security Checks
high
137033EulerOS 2.0 SP5 : ruby (EulerOS-SA-2020-1615)NessusHuawei Local Security Checks
high
136868EulerOS 2.0 SP8 : ruby (EulerOS-SA-2020-1590)NessusHuawei Local Security Checks
critical
136781Fedora 31 : ruby (2020-a95706b117)NessusFedora Local Security Checks
medium
136693Photon OS 1.0: Ruby PHSA-2020-1.0-0294NessusPhotonOS Local Security Checks
medium
136581Photon OS 3.0: Ruby PHSA-2020-3.0-0089NessusPhotonOS Local Security Checks
medium
136309openSUSE Security Update : ruby2.5 (openSUSE-2020-586)NessusSuSE Local Security Checks
medium
136301Fedora 30 : rubygem-json (2020-d171bf636d)NessusFedora Local Security Checks
high
136294Fedora 31 : rubygem-json (2020-26df92331a)NessusFedora Local Security Checks
high
136202Debian DLA-2192-1 : ruby2.1 security updateNessusDebian Local Security Checks
high
136067Debian DLA-2190-1 : ruby-json security updateNessusDebian Local Security Checks
high
135671SUSE SLED15 / SLES15 Security Update : ruby2.5 (SUSE-SU-2020:0995-1)NessusSuSE Local Security Checks
medium
134921FreeBSD : rubygem-json -- Unsafe Objection Creation Vulnerability in JSON (Additional fix) (40194e1c-6d89-11ea-8082-80ee73419af3)NessusFreeBSD Local Security Checks
high