CVE-2017-14064

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2017-14064
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-14064.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2017-14064
Downstream
Related
Published
2017-08-31T17:29:00.183Z
Modified
2026-05-18T05:49:28.579480054Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call. The issues lies in using strdup in ext/json/ext/generator/generator.c, which will stop after encountering a '\0' byte, returning a pointer to a string of length zero, which is not the length stored in space_len.

Database specific 
{
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "last_affected": "14.04"
                },
                {
                    "last_affected": "16.04"
                },
                {
                    "last_affected": "17.10"
                }
            ],
            "cpes": [
                "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*",
                "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
                "cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*"
            ],
            "source": "CPE_FIELD",
            "vendor_product": "canonical:ubuntu_linux"
        },
        {
            "extracted_events": [
                {
                    "last_affected": "8.0"
                },
                {
                    "last_affected": "9.0"
                }
            ],
            "cpes": [
                "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
                "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"
            ],
            "source": "CPE_FIELD",
            "vendor_product": "debian:debian_linux"
        },
        {
            "extracted_events": [
                {
                    "last_affected": "7.0"
                }
            ],
            "cpes": [
                "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*"
            ],
            "source": "CPE_FIELD",
            "vendor_product": "redhat:enterprise_linux_desktop"
        },
        {
            "extracted_events": [
                {
                    "last_affected": "7.0"
                }
            ],
            "cpes": [
                "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*"
            ],
            "source": "CPE_FIELD",
            "vendor_product": "redhat:enterprise_linux_server"
        },
        {
            "extracted_events": [
                {
                    "last_affected": "7.4"
                },
                {
                    "last_affected": "7.6"
                }
            ],
            "cpes": [
                "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*",
                "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*"
            ],
            "source": "CPE_FIELD",
            "vendor_product": "redhat:enterprise_linux_server_aus"
        },
        {
            "extracted_events": [
                {
                    "last_affected": "7.4"
                },
                {
                    "last_affected": "7.5"
                },
                {
                    "last_affected": "7.6"
                }
            ],
            "cpes": [
                "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*",
                "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*",
                "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*"
            ],
            "source": "CPE_FIELD",
            "vendor_product": "redhat:enterprise_linux_server_eus"
        },
        {
            "extracted_events": [
                {
                    "last_affected": "7.4"
                },
                {
                    "last_affected": "7.6"
                }
            ],
            "cpes": [
                "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*",
                "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*"
            ],
            "source": "CPE_FIELD",
            "vendor_product": "redhat:enterprise_linux_server_tus"
        },
        {
            "extracted_events": [
                {
                    "last_affected": "7.0"
                }
            ],
            "cpes": [
                "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*"
            ],
            "source": "CPE_FIELD",
            "vendor_product": "redhat:enterprise_linux_workstation"
        }
    ]
}
References

Affected packages

Git / github.com/ruby/json

Affected ranges

Type
GIT
Repo
https://github.com/ruby/json
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
8f782fd8e181d9cfe9387ded43a5ca9692266b85
Database specific 
{
    "source": "REFERENCES"
}

Affected versions

v1.*
v1.1.8
v1.2.0
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.4.4-java
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.6.0
v1.6.1
v1.6.2
v1.6.3
v1.6.4
v1.6.5
v1.6.7
v1.7.0
v1.7.1
v1.7.2
v1.7.3
v1.7.4
v1.7.5
v1.7.6
v1.7.7
v1.8.0
v1.8.1
v1.8.2
v1.8.3
v2.*
v2.0.0
v2.0.1
v2.0.2

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-14064.json"

Git / github.com/ruby/ruby

Affected ranges

Type
GIT
Repo
https://github.com/ruby/ruby
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
530165c2948c3eed741db5659f7b937270caa46a
Last affected
d40ea2afa6ff5a6e5befcf342fb7b6dc58796b20
Last affected
9993701c7d3d83e24699177fef3238d8bf7bbbab
Last affected
e3434401aca2e331132652d4458366267e8cf378
Last affected
5827d8e887d881eb3a6e6ea7410590261c90545f
Last affected
9d222264d5e6a2dcac5aceafb5742a65e53dc513
Last affected
c91cb76f8d84b2963f6ede2ef445ad46a6104216
Last affected
4bd69735af901266ec21486243fc206030caa6b9
Last affected
d4bb726b713658f56e630b6cf817a0155b6f390e
Last affected
8183c0532207ad0a9b9f99b659116218a9fa132b
Last affected
e11c22602af69e8139ec0649bb39f5a66d1e66a1
Last affected
81234c5ecaab58e03e346ebdbf5678e4b8a3db55
Last affected
55b2febff000595e6c5d8120ccb888855b7edb6f
Last affected
820605ba3c10b9f4dafc4e5d6e09765b8b31cbea
Database specific 
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.2.7"
        },
        {
            "last_affected": "2.3.0"
        },
        {
            "last_affected": "2.3.0-preview1"
        },
        {
            "last_affected": "2.3.0-preview2"
        },
        {
            "last_affected": "2.3.1"
        },
        {
            "last_affected": "2.3.2"
        },
        {
            "last_affected": "2.3.3"
        },
        {
            "last_affected": "2.3.4"
        },
        {
            "last_affected": "2.4.0"
        },
        {
            "last_affected": "2.4.0-preview1"
        },
        {
            "last_affected": "2.4.0-preview2"
        },
        {
            "last_affected": "2.4.0-preview3"
        },
        {
            "last_affected": "2.4.0-rc1"
        },
        {
            "last_affected": "2.4.1"
        }
    ],
    "source": "CPE_FIELD",
    "cpe": [
        "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:ruby-lang:ruby:2.3.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:ruby-lang:ruby:2.3.0:preview1:*:*:*:*:*:*",
        "cpe:2.3:a:ruby-lang:ruby:2.3.0:preview2:*:*:*:*:*:*",
        "cpe:2.3:a:ruby-lang:ruby:2.3.1:*:*:*:*:*:*:*",
        "cpe:2.3:a:ruby-lang:ruby:2.3.2:*:*:*:*:*:*:*",
        "cpe:2.3:a:ruby-lang:ruby:2.3.3:*:*:*:*:*:*:*",
        "cpe:2.3:a:ruby-lang:ruby:2.3.4:*:*:*:*:*:*:*",
        "cpe:2.3:a:ruby-lang:ruby:2.4.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:ruby-lang:ruby:2.4.0:preview1:*:*:*:*:*:*",
        "cpe:2.3:a:ruby-lang:ruby:2.4.0:preview2:*:*:*:*:*:*",
        "cpe:2.3:a:ruby-lang:ruby:2.4.0:preview3:*:*:*:*:*:*",
        "cpe:2.3:a:ruby-lang:ruby:2.4.0:rc1:*:*:*:*:*:*",
        "cpe:2.3:a:ruby-lang:ruby:2.4.1:*:*:*:*:*:*:*"
    ]
}

Affected versions

Other
v1_0_r2
v2_2_0_rc1
v2_2_7
v2_3_0
v2_3_0_preview1
v2_3_0_preview2
v2_3_1
v2_3_2
v2_3_3
v2_3_4
v2_4_0
v2_4_0_preview1
v2_4_0_preview2
v2_4_0_preview3
v2_4_0_rc1
v2_4_1

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-14064.json"