Описание
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.
A flaw was found in rubygem-json. While parsing certain JSON documents, the json gem (including the one bundled with Ruby) can be coerced into creating arbitrary objects in the target system. This is the same issue as CVE-2013-0269.
Отчет
Red Hat CloudForms 5 uses vulnerable rubygem-json, however, is not vulnerable in Ruby since it does not use version which includes JSON into stdlib. This issue affects the version of JSON(embedded in pcs) as shipped with Red Hat Gluster Storage 3. However, the vulnerable method calls are currently not used by the product and hence this issue has been rated as having a security impact of Low.
Меры по смягчению последствий
To mitigate this vulnerability, do not supply untrusted user input and/or untrusted strings to the following method calls or utilize code libraries which do so:
Also note that JSON.load() should never be given input from unknown sources.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| CloudForms Management Engine 5 | ruby | Not affected | ||
| CloudForms Management Engine 5 | rubygem-json | Affected | ||
| Red Hat 3scale API Management Platform 2 | system | Fix deferred | ||
| Red Hat Enterprise Linux 5 | ruby | Not affected | ||
| Red Hat Enterprise Linux 6 | ruby | Not affected | ||
| Red Hat Enterprise Linux 7 | pcs | Not affected | ||
| Red Hat Enterprise Linux 7 | ruby | Will not fix | ||
| Red Hat Fuse 7 | jruby | Not affected | ||
| Red Hat JBoss A-MQ 6 | jruby-3977 | Not affected | ||
| Red Hat JBoss A-MQ 6 | jruby-4198 | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.3 High
CVSS3
Связанные уязвимости
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9 ...
EPSS
7.3 High
CVSS3