CVE-2020-10663 – json

Package

Manager: gem
Name: json
Vulnerable Version: >=0 <2.3.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.04319 pctl0.88453

Details

Unsafe object creation in json RubyGem The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269/GHSA-x457-cw4h-hq5f, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.

Metadata

Created: 2020-07-27T18:08:21Z
Modified: 2023-01-25T22:49:03Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/07/GHSA-jphg-qwrw-7w9g/GHSA-jphg-qwrw-7w9g.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-jphg-qwrw-7w9g
Finding: F184
Auto approve: 1