CVE-2020-10663

Source
https://nvd.nist.gov/vuln/detail/CVE-2020-10663
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-10663.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2020-10663
Aliases
Downstream
Related
Published
2020-04-28T21:15:11Z
Modified
2025-10-08T03:52:17.720571Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.

References

Affected packages

Git / github.com/flori/json

Affected ranges

Type
GIT
Repo
https://github.com/flori/json
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Type
GIT
Repo
https://github.com/ruby/ruby
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected

Affected versions

v1.*

v1.1.8
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.4.4
v1.4.4-java
v1.4.5
v1.4.6
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.6.0
v1.6.1
v1.6.2
v1.6.3
v1.6.4
v1.6.5
v1.6.6
v1.6.7
v1.7.0
v1.7.1
v1.7.2
v1.7.3
v1.7.4
v1.7.5
v1.7.6
v1.7.7
v1.8.0
v1.8.1
v1.8.2
v1.8.3

v2.*

v2.0.0
v2.0.1
v2.0.2
v2.1.0
v2.2.0