CVE-2020-10663

Description

The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.

How to fix CVE-2020-10663

To remediate CVE-2020-10663, upgrade the affected package to a fixed version below.

• —upgrade to 2.5.8-r0 or later
• —upgrade to 2.1.5-2+deb8u10 or later
• —upgrade to 2.5.5-3+deb10u2 or later
• —upgrade to 2.3.0+dfsg-1 or later
• —upgrade to 1.8.1-1+deb8u1 or later
• —upgrade to 2.3.0 or later

Is CVE-2020-10663 being exploited?

Moderate — EPSS is 5.9%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (6)

• from 0, < 2.5.8-r0
• from 0, < 2.1.5-2+deb8u10
• from 0, < 2.5.5-3+deb10u2
• from 0, < 2.3.0+dfsg-1
• from 0, < 1.8.1-1+deb8u1
• from 0, < 2.3.0

CVSS scores

References (25)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-10663
• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2020-10663
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-10663
• PATCHgithub.com/flori/json
• WEB