UBUNTU-CVE-2020-10663
See a problem?- Source
- https://ubuntu.com/security/notices/UBUNTU-CVE-2020-10663
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2020/UBUNTU-CVE-2020-10663.json
- JSON Data
- https://api.osv.dev/v1/vulns/UBUNTU-CVE-2020-10663
- Related
- Published
- 2020-04-28T21:15:00Z
- Modified
- 2020-04-28T21:15:00Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- [none]
- Details
-
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.
- References
Affected packages
Ubuntu:Pro:14.04:LTS / ruby-json
Package
- Name
- ruby-json
Ubuntu:16.04:LTS / ruby2.3
Package
- Name
- ruby2.3
- Purl
- pkg:deb/ubuntu/ruby2.3@2.3.1-2~ubuntu16.04.15?arch=src?distro=xenial
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.3.1-2~ubuntu16.04.15
Affected versions
2.*
2.3.0-1
2.3.0-2
2.3.0-4ubuntu2
2.3.0-4ubuntu3
2.3.0-5ubuntu1
2.3.1-2~16.04
2.3.1-2~16.04.2
2.3.1-2~16.04.4
2.3.1-2~16.04.5
2.3.1-2~16.04.6
2.3.1-2~16.04.7
2.3.1-2~16.04.9
2.3.1-2~16.04.10
2.3.1-2~16.04.11
2.3.1-2~16.04.12
2.3.1-2~ubuntu16.04.13
2.3.1-2~ubuntu16.04.14
Ecosystem specific
{
"availability": "No subscription required",
"ubuntu_priority": "medium",
"binaries": [
{
"libruby2.3-dbgsym": "2.3.1-2~ubuntu16.04.15",
"ruby2.3-tcltk": "2.3.1-2~ubuntu16.04.15",
"ruby2.3-dev-dbgsym": "2.3.1-2~ubuntu16.04.15",
"libruby2.3-dbg": "2.3.1-2~ubuntu16.04.15",
"ruby2.3-dev": "2.3.1-2~ubuntu16.04.15",
"ruby2.3-dbgsym": "2.3.1-2~ubuntu16.04.15",
"libruby2.3": "2.3.1-2~ubuntu16.04.15",
"ruby2.3-tcltk-dbgsym": "2.3.1-2~ubuntu16.04.15",
"ruby2.3": "2.3.1-2~ubuntu16.04.15",
"ruby2.3-doc": "2.3.1-2~ubuntu16.04.15"
}
]
}
Ubuntu:Pro:16.04:LTS / ruby-json
Package
- Name
- ruby-json
Ubuntu:18.04:LTS / ruby2.5
Package
- Name
- ruby2.5
- Purl
- pkg:deb/ubuntu/ruby2.5@2.5.1-1ubuntu1.8?arch=src?distro=bionic
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.5.1-1ubuntu1.8
Affected versions
2.*
2.5.0~preview1-1ubuntu2
2.5.0-4ubuntu1
2.5.0-4ubuntu4
2.5.0-5ubuntu1
2.5.0-6ubuntu1
2.5.1-1ubuntu1
2.5.1-1ubuntu1.1
2.5.1-1ubuntu1.2
2.5.1-1ubuntu1.4
2.5.1-1ubuntu1.5
2.5.1-1ubuntu1.6
2.5.1-1ubuntu1.7
Ecosystem specific
{
"availability": "No subscription required",
"ubuntu_priority": "medium",
"binaries": [
{
"ruby2.5": "2.5.1-1ubuntu1.8",
"ruby2.5-dbgsym": "2.5.1-1ubuntu1.8",
"libruby2.5": "2.5.1-1ubuntu1.8",
"libruby2.5-dbgsym": "2.5.1-1ubuntu1.8",
"ruby2.5-dev": "2.5.1-1ubuntu1.8",
"ruby2.5-doc": "2.5.1-1ubuntu1.8"
}
]
}
Ubuntu:Pro:18.04:LTS / ruby-json
Package
- Name
- ruby-json
Ubuntu:20.04:LTS / ruby-json
Package
- Name
- ruby-json
- Purl
- pkg:deb/ubuntu/ruby-json@2.3.0+dfsg-1build1?arch=src?distro=focal
Ubuntu:20.04:LTS / ruby2.7
Package
- Name
- ruby2.7
- Purl
- pkg:deb/ubuntu/ruby2.7@2.7.0-5ubuntu1.2?arch=src?distro=focal
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.7.0-5ubuntu1.2
Affected versions
2.*
2.7.0-1
2.7.0-2
2.7.0-3
2.7.0-4
2.7.0-4ubuntu1
2.7.0-5ubuntu1
2.7.0-5ubuntu1.1
Ecosystem specific
{
"availability": "No subscription required",
"ubuntu_priority": "medium",
"binaries": [
{
"ruby2.7-doc": "2.7.0-5ubuntu1.2",
"ruby2.7-dbgsym": "2.7.0-5ubuntu1.2",
"ruby2.7": "2.7.0-5ubuntu1.2",
"libruby2.7": "2.7.0-5ubuntu1.2",
"libruby2.7-dbgsym": "2.7.0-5ubuntu1.2",
"ruby2.7-dev": "2.7.0-5ubuntu1.2"
}
]
}