Vulnerability Details : CVE-2020-10663
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.
Vulnerability category: Input validation
Products affected by CVE-2020-10663
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:apple:macos:11.0.1:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
- cpe:2.3:a:json_project:json:*:*:*:*:*:ruby:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-10663
0.44%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 75 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-10663
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2020-10663
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-10663
-
http://seclists.org/fulldisclosure/2020/Dec/32
Full Disclosure: APPLE-SA-2020-12-14-4 Additional information for APPLE-SA-2020-11-13-1 macOS Big Sur 11.0.1Mailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F4TNVTT66VPRMX5UZYSDGSVRXKKDDDU5/
[SECURITY] Fedora 31 Update: ruby-2.6.6-125.fc31 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00004.html
[security-announce] openSUSE-SU-2020:0586-1: moderate: Security update fMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/r3b04f4e99a19613f88ae088aa18cd271231a3c79dfff8f5efa8cda61@%3Cissues.zookeeper.apache.org%3E
[jira] [Assigned] (ZOOKEEPER-3933) owasp failing with json-simple-1.1.1.jar: CVE-2020-10663, CVE-2020-7712 - Pony MailMailing List;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2020/04/msg00030.html
[SECURITY] [DLA 2192-1] ruby2.1 security updateMailing List;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20210129-0003/
CVE-2020-10663 Ruby JSON gem Unsafe Object Creation Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://lists.apache.org/thread.html/r5f17bfca1d6e7f4b33ae978725b2fd62a9f1b3111696eafa9add802d@%3Cissues.zookeeper.apache.org%3E
[jira] [Issue Comment Deleted] (ZOOKEEPER-3933) owasp failing with json-simple-1.1.1.jar: CVE-2020-10663, CVE-2020-7712 - Pony MailMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/ree3abcd33c06ee95ab59faa1751198a1186d8941ddc2c2562c12966c@%3Cissues.zookeeper.apache.org%3E
[jira] [Resolved] (ZOOKEEPER-3933) owasp failing with json-simple-1.1.1.jar: CVE-2020-10663, CVE-2020-7712 - Pony MailMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/rb2b981912446a74e14fe6076c4b7c7d8502727ea0718e6a65a9b1be5@%3Cissues.zookeeper.apache.org%3E
[jira] [Commented] (ZOOKEEPER-3933) owasp failing with json-simple-1.1.1.jar: CVE-2020-10663, CVE-2020-7712 - Pony MailMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7QL6MJD2BO4IRJ5CJFNMCDYMQQFT24BJ/
[SECURITY] Fedora 31 Update: rubygem-json-2.2.0-202.fc31 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://support.apple.com/kb/HT211931
About the security content of macOS Big Sur 11.0.1 - Apple SupportThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NK2PBXWMFRUD7U7Q7LHV4KYLYID77RI4/
[SECURITY] Fedora 30 Update: rubygem-json-2.2.0-202.fc30 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/
CVE-2020-10663: Unsafe Object Creation Vulnerability in JSON (Additional fix)Vendor Advisory
-
https://lists.apache.org/thread.html/rd9b9cc843f5cf5b532bdad9e87a817967efcf52b917e8c43b6df4cc7@%3Cissues.zookeeper.apache.org%3E
[jira] [Created] (ZOOKEEPER-3933) owasp failing with json-simple-1.1.1.jar: CVE-2020-10663, CVE-2020-7712 - Pony MailMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/r37c0e1807da7ff2bdd028bbe296465a6bbb99e2320dbe661d5d8b33b@%3Cissues.zookeeper.apache.org%3E
[jira] [Updated] (ZOOKEEPER-3933) owasp failing with json-simple-1.1.1.jar: CVE-2020-10663, CVE-2020-7712 - Pony MailMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/rb023d54a46da1ac0d8969097f5fecc79636b07d3b80db7b818a5c55c@%3Cissues.zookeeper.apache.org%3E
[jira] [Comment Edited] (ZOOKEEPER-3933) owasp failing with json-simple-1.1.1.jar: CVE-2020-10663, CVE-2020-7712 - Pony MailMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/rec8bb4d637b04575da41cfae49118e108e95d43bfac39b7b698ee4db@%3Cissues.zookeeper.apache.org%3E
[jira] [Updated] (ZOOKEEPER-3933) owasp failing with json-simple-1.1.1.jar: CVE-2020-10663, CVE-2020-7712 - Pony MailMailing List;Third Party Advisory
-
https://www.debian.org/security/2020/dsa-4721
Debian -- Security Information -- DSA-4721-1 ruby2.5Third Party Advisory
-
https://lists.apache.org/thread.html/r8d2e174230f6d26e16c007546e804c343f1f68956f526daaafa4aaae@%3Cdev.zookeeper.apache.org%3E
[jira] [Created] (ZOOKEEPER-3933) owasp failing with json-simple-1.1.1.jar: CVE-2020-10663, CVE-2020-7712 - Pony MailMailing List;Third Party Advisory
Jump to