CVE-2020-10663

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 28-04-2020 11:15

Last modified: - 18-04-2022 05:21

Total changes: - 5

Description

The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Low

Attack complexity

Network

Attack vector

None

Availability

None

Confidentiality

High

Integrity

None

Privileges required

Unchanged

Scope

None

User interaction

7.5

Base score

3.9

3.6

Exploitability score

Impact score

Verification logic

AND

vendor=json_project AND product=json AND target_software=ruby AND versionEndIncluding=2.2.0

vendor=ruby-lang AND product=ruby AND versionEndIncluding=2.4.9 AND versionStartIncluding=2.4.0

vendor=ruby-lang AND product=ruby AND versionEndIncluding=2.5.7 AND versionStartIncluding=2.5.0

vendor=ruby-lang AND product=ruby AND versionEndIncluding=2.6.5 AND versionStartIncluding=2.6.0

vendor=fedoraproject AND product=fedora AND version=30

vendor=fedoraproject AND product=fedora AND version=31

vendor=opensuse AND product=leap AND version=15.1

vendor=Debian AND product=debian_linux AND version=8.0

vendor=Debian AND product=debian_linux AND version=10.0

vendor=apple AND product=macos AND version=11.0.1

vendor=apache AND product=zookeeper AND versionEndExcluding=3.5.9

vendor=apache AND product=zookeeper AND versionStartIncluding=3.6.0 AND versionEndExcluding=3.6.3

Reference

https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/
[debian-lts-announce] 20200430 [SECURITY] [DLA 2192-1] ruby2.1 security update-Mailing List, Third Party Advisory
openSUSE-SU-2020:0586-Mailing List, Third Party Advisory
FEDORA-2020-26df92331a-Third Party Advisory
FEDORA-2020-d171bf636d-Third Party Advisory
FEDORA-2020-a95706b117-Third Party Advisory
DSA-4721-Third Party Advisory
[zookeeper-issues] 20200913 [jira] [Created] (ZOOKEEPER-3933) owasp failing with json-simple-1.1.1.jar: CVE-2020-10663, CVE-2020-7712-Mailing List, Third Party Advisory
[zookeeper-dev] 20200913 [jira] [Created] (ZOOKEEPER-3933) owasp failing with json-simple-1.1.1.jar: CVE-2020-10663, CVE-2020-7712-Mailing List, Third Party Advisory
[zookeeper-issues] 20200913 [jira] [Resolved] (ZOOKEEPER-3933) owasp failing with json-simple-1.1.1.jar: CVE-2020-10663, CVE-2020-7712-Mailing List, Third Party Advisory
[zookeeper-issues] 20200930 [jira] [Issue Comment Deleted] (ZOOKEEPER-3933) owasp failing with json-simple-1.1.1.jar: CVE-2020-10663, CVE-2020-7712-Mailing List, Third Party Advisory
[zookeeper-issues] 20200930 [jira] [Commented] (ZOOKEEPER-3933) owasp failing with json-simple-1.1.1.jar: CVE-2020-10663, CVE-2020-7712-Mailing List, Third Party Advisory
[zookeeper-issues] 20200930 [jira] [Comment Edited] (ZOOKEEPER-3933) owasp failing with json-simple-1.1.1.jar: CVE-2020-10663, CVE-2020-7712-Mailing List, Third Party Advisory
https://support.apple.com/kb/HT211931
20201215 APPLE-SA-2020-12-14-4 Additional information for APPLE-SA-2020-11-13-1 macOS Big Sur 11.0.1-Mailing List, Third Party Advisory
[zookeeper-issues] 20210106 [jira] [Updated] (ZOOKEEPER-3933) owasp failing with json-simple-1.1.1.jar: CVE-2020-10663, CVE-2020-7712-Mailing List, Third Party Advisory
https://security.netapp.com/advisory/ntap-20210129-0003/
[zookeeper-issues] 20210404 [jira] [Updated] (ZOOKEEPER-3933) owasp failing with json-simple-1.1.1.jar: CVE-2020-10663, CVE-2020-7712-Mailing List, Third Party Advisory
[zookeeper-issues] 20210404 [jira] [Assigned] (ZOOKEEPER-3933) owasp failing with json-simple-1.1.1.jar: CVE-2020-10663, CVE-2020-7712-Mailing List, Third Party Advisory

Keywords

CVE-2020-10663

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2020-10663

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures