Ruby/json/1.2.2
This is a JSON implementation as a Ruby extension in C.
https://rubygems.org/gems/json
UNKNOWN
4 Security Vulnerabilities
Unsafe object creation in json RubyGem
- https://nvd.nist.gov/vuln/detail/CVE-2020-10663
- https://github.com/advisories/GHSA-jphg-qwrw-7w9g
- https://github.com/flori/json/blob/master/CHANGES.md#2019-12-11-230
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/json/CVE-2020-10663.yml
- https://lists.debian.org/debian-lts-announce/2020/04/msg00030.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7QL6MJD2BO4IRJ5CJFNMCDYMQQFT24BJ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F4TNVTT66VPRMX5UZYSDGSVRXKKDDDU5/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NK2PBXWMFRUD7U7Q7LHV4KYLYID77RI4/
- https://www.debian.org/security/2020/dsa-4721
- https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00004.html
- https://lists.apache.org/thread.html/r8d2e174230f6d26e16c007546e804c343f1f68956f526daaafa4aaae@%3Cdev.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rd9b9cc843f5cf5b532bdad9e87a817967efcf52b917e8c43b6df4cc7@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/ree3abcd33c06ee95ab59faa1751198a1186d8941ddc2c2562c12966c@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r5f17bfca1d6e7f4b33ae978725b2fd62a9f1b3111696eafa9add802d@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rb023d54a46da1ac0d8969097f5fecc79636b07d3b80db7b818a5c55c@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rb2b981912446a74e14fe6076c4b7c7d8502727ea0718e6a65a9b1be5@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rec8bb4d637b04575da41cfae49118e108e95d43bfac39b7b698ee4db@%3Cissues.zookeeper.apache.org%3E
- https://support.apple.com/kb/HT211931
- http://seclists.org/fulldisclosure/2020/Dec/32
- https://security.netapp.com/advisory/ntap-20210129-0003/
- https://lists.apache.org/thread.html/r37c0e1807da7ff2bdd028bbe296465a6bbb99e2320dbe661d5d8b33b@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r3b04f4e99a19613f88ae088aa18cd271231a3c79dfff8f5efa8cda61@%3Cissues.zookeeper.apache.org%3E
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269/GHSA-x457-cw4h-hq5f, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.
JSON gem has Improper Input Validation vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2013-0269
- https://github.com/advisories/GHSA-x457-cw4h-hq5f
- https://exchange.xforce.ibmcloud.com/vulnerabilities/82010
- https://groups.google.com/group/rubyonrails-security/msg/d8e0db6e08c81428?dmode=source&output=gplain
- https://puppet.com/security/cve/cve-2013-0269
- http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.html
- http://lists.opensuse.org/opensuse-updates/2013-04/msg00034.html
- http://rhn.redhat.com/errata/RHSA-2013-0686.html
- http://rhn.redhat.com/errata/RHSA-2013-0701.html
- http://rhn.redhat.com/errata/RHSA-2013-1028.html
- http://rhn.redhat.com/errata/RHSA-2013-1147.html
- http://secunia.com/advisories/52075
- http://secunia.com/advisories/52774
- http://secunia.com/advisories/52902
- http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
- http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/
- http://www.openwall.com/lists/oss-security/2013/02/11/7
- http://www.openwall.com/lists/oss-security/2013/02/11/8
- http://www.osvdb.org/90074
- http://www.securityfocus.com/bid/57899
- http://www.slackware.com/security/viewer.php?l=slackware-security&y=2013&m=slackware-security.426862
- http://www.ubuntu.com/usn/USN-1733-1
- http://www.zweitag.de/en/blog/ruby-on-rails-vulnerable-to-mass-assignment-and-sql-injection
- https://web.archive.org/web/20130228082541/http://www.securityfocus.com/bid/57899
- https://web.archive.org/web/20160331131233/http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
- https://web.archive.org/web/20160808163226/https://puppet.com/security/cve/cve-2013-0269
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/json/CVE-2013-0269.yml
The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka Unsafe Object Creation Vulnerability.
CVE-2013-0269 rubygem-json: Denial of Service and SQL Injection
The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7
for Ruby allows remote attackers to cause a denial of service (resource consumption)
or bypass the mass assignment protection mechanism via a crafted JSON document that
triggers the creation of arbitrary Ruby symbols or certain internal objects, as
demonstrated by conducting a SQL injection attack against Ruby on Rails, aka Unsafe
Object Creation Vulnerability.
json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix)
There is an unsafe object creation vulnerability in the json gem bundled with Ruby. This vulnerability has been assigned the CVE identifier CVE-2020-10663. We strongly recommend upgrading the json gem.
Details
When parsing certain JSON documents, the json gem (including the one bundled with Ruby) can be coerced into creating arbitrary objects in the target system.
This is the same issue as CVE-2013-0269. The previous fix was incomplete, which addressed JSON.parse(userinput), but didn’t address some other styles of JSON parsing including JSON(userinput) and JSON.parse(user_input, nil).
See CVE-2013-0269 in detail. Note that the issue was exploitable to cause a Denial of Service by creating many garbage-uncollectable Symbol objects, but this kind of attack is no longer valid because Symbol objects are now garbage-collectable. However, creating arbitrary objects may cause severe security consequences depending upon the application code.
81 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
2.7.2 | Ruby | 2024-04-04 - 03:31 | about 2 months | |
2.7.1 | Ruby | 2023-12-05 - 04:13 | 6 months | |
2.7.0 | Ruby | 2023-12-01 - 06:38 | 6 months | |
2.6.3 | Ruby | 2022-12-05 - 11:10 | over 1 year | |
2.6.2 | Ruby | 2022-05-16 - 22:01 | about 2 years | |
2.6.1 | Ruby | 2021-10-24 - 00:23 | over 2 years | |
2.6.0 | Ruby | 2021-10-14 - 08:03 | over 2 years | |
2.5.1 | Ruby | 2020-12-22 - 12:49 | over 3 years | |
2.5.0 | Ruby | 2020-12-22 - 10:45 | over 3 years | |
2.4.1 | Ruby | 2020-12-17 - 05:16 | over 3 years | |
2.4.0 | Ruby | 2020-12-15 - 10:49 | over 3 years | |
2.3.1 | Ruby | 2020-06-30 - 12:17 | almost 4 years | |
2.3.0 | Ruby | 2019-12-11 - 17:33 | over 4 years | |
2.2.0 | Ruby | 2 | 2019-02-21 - 22:28 | about 5 years |
2.1.0 | Ruby | 2 | 2017-04-18 - 09:40 | about 7 years |
2.0.4 | Ruby | 2 | 2017-04-11 - 10:42 | about 7 years |
2.0.3 | Ruby | 2 | 2017-01-12 - 14:21 | over 7 years |
2.0.2 | Ruby | 2 | 2016-07-26 - 11:12 | almost 8 years |
2.0.1 | Ruby | 2 | 2016-07-01 - 15:34 | almost 8 years |
2.0.0 | Ruby | 2 | 2016-07-01 - 09:32 | almost 8 years |
1.8.6 | Ruby | 2 | 2017-01-13 - 11:12 | over 7 years |
1.8.5 | Ruby | 2 | 2017-01-12 - 11:47 | over 7 years |
1.8.3 | Ruby | 2 | 2015-06-02 - 07:29 | almost 9 years |
1.8.2 | Ruby | 2 | 2015-01-09 - 00:58 | over 9 years |
1.8.1 | Ruby | 2 | 2013-10-17 - 12:05 | over 10 years |
1.8.0 | Ruby | 2 | 2013-05-13 - 12:57 | about 11 years |
1.7.7 | Ruby | 2 | 2013-02-11 - 18:12 | over 11 years |
1.7.6 | UNKNOWN | 4 | 2012-12-31 - 00:41 | over 11 years |
1.7.5 | UNKNOWN | 4 | 2012-08-17 - 19:00 | almost 12 years |
1.7.4 | UNKNOWN | 4 | 2012-07-26 - 07:47 | almost 12 years |
1.7.3 | UNKNOWN | 4 | 2012-05-11 - 22:27 | about 12 years |
1.7.2 | UNKNOWN | 4 | 2012-05-11 - 19:04 | about 12 years |
1.7.1 | UNKNOWN | 4 | 2012-05-07 - 11:29 | about 12 years |
1.7.0 | UNKNOWN | 4 | 2012-04-28 - 01:29 | about 12 years |
1.6.8 | UNKNOWN | 2 | 2013-02-11 - 18:05 | over 11 years |
1.6.7 | UNKNOWN | 3 | 2012-04-28 - 01:17 | about 12 years |
1.6.6 | UNKNOWN | 3 | 2012-03-26 - 15:11 | about 12 years |
1.6.5 | UNKNOWN | 3 | 2012-01-15 - 14:50 | over 12 years |
1.6.4 | UNKNOWN | 3 | 2011-12-24 - 14:17 | over 12 years |
1.6.3 | UNKNOWN | 3 | 2011-12-01 - 08:18 | over 12 years |
1.6.2 | UNKNOWN | 3 | 2011-11-28 - 16:05 | over 12 years |
1.6.1 | UNKNOWN | 3 | 2011-09-18 - 13:26 | over 12 years |
1.6.0.1 | UNKNOWN | 3 | 2011-09-13 - 20:19 | over 12 years |
1.6.0 | UNKNOWN | 3 | 2011-09-12 - 23:26 | over 12 years |
1.5.5 | UNKNOWN | 2 | 2013-02-11 - 18:05 | over 11 years |
1.5.4 | UNKNOWN | 3 | 2011-08-31 - 23:26 | over 12 years |
1.5.3 | UNKNOWN | 3 | 2011-06-20 - 12:36 | almost 13 years |
1.5.2 | UNKNOWN | 3 | 2011-06-14 - 22:39 | almost 13 years |
1.5.1 | UNKNOWN | 3 | 2011-01-26 - 01:20 | over 13 years |
1.5.0 | UNKNOWN | 3 | 2011-01-23 - 06:02 | over 13 years |
1.4.6 | UNKNOWN | 4 | 2010-08-12 - 23:16 | almost 14 years |
1.4.5 | UNKNOWN | 4 | 2010-08-07 - 16:05 | almost 14 years |
1.4.4 | UNKNOWN | 4 | 2010-08-06 - 20:03 | almost 14 years |
1.4.3 | UNKNOWN | 4 | 2010-08-03 - 22:54 | almost 14 years |
1.4.2 | UNKNOWN | 4 | 2010-04-27 - 22:42 | about 14 years |
1.4.1 | UNKNOWN | 4 | 2010-04-25 - 13:47 | about 14 years |
1.4.0 | UNKNOWN | 4 | 2010-04-23 - 21:31 | about 14 years |
1.2.4 | UNKNOWN | 4 | 2010-04-08 - 07:52 | about 14 years |
1.2.3 | UNKNOWN | 4 | 2010-03-11 - 09:12 | about 14 years |
1.2.2 | UNKNOWN | 4 | 2010-02-28 - 17:17 | about 14 years |
1.2.1 | UNKNOWN | 4 | 2010-02-26 - 21:29 | about 14 years |
1.2.0 | UNKNOWN | 4 | 2009-11-08 - 04:16 | over 14 years |
1.1.9 | UNKNOWN | 4 | 2009-09-24 - 22:13 | over 14 years |
1.1.8 | UNKNOWN | 4 | 2009-09-24 - 22:13 | over 14 years |
1.1.7 | UNKNOWN | 4 | 2009-08-05 - 00:38 | almost 15 years |
1.1.6 | UNKNOWN | 4 | 2009-07-25 - 18:11 | almost 15 years |
1.1.5 | UNKNOWN | 4 | 2009-07-25 - 18:11 | almost 15 years |
1.1.4 | UNKNOWN | 4 | 2009-07-25 - 18:11 | almost 15 years |
1.1.3 | UNKNOWN | 4 | 2009-07-25 - 18:11 | almost 15 years |
1.1.2 | UNKNOWN | 4 | 2009-07-25 - 18:11 | almost 15 years |
1.1.1 | UNKNOWN | 4 | 2009-09-24 - 22:13 | over 14 years |
1.1.0 | UNKNOWN | 4 | 2009-09-24 - 22:13 | over 14 years |
1.0.4 | UNKNOWN | 5 | 2009-09-24 - 22:13 | over 14 years |
1.0.3 | UNKNOWN | 5 | 2009-09-24 - 22:13 | over 14 years |
1.0.2 | UNKNOWN | 5 | 2009-07-25 - 18:11 | almost 15 years |
1.0.1 | UNKNOWN | 5 | 2009-07-25 - 18:11 | almost 15 years |
1.0.0 | UNKNOWN | 5 | 2009-07-25 - 18:11 | almost 15 years |
0.4.3 | UNKNOWN | 5 | 2009-07-25 - 18:11 | almost 15 years |
0.4.2 | UNKNOWN | 5 | 2009-07-25 - 18:11 | almost 15 years |
0.4.1 | UNKNOWN | 5 | 2009-07-25 - 18:11 | almost 15 years |
0.4.0 | UNKNOWN | 5 | 2009-07-25 - 18:11 | almost 15 years |