====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN151
_____________________________________________________________________

DATE                : 25/03/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running json gem for Ruby
                           versions prior to 2.3.0.

=====================================================================
https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/
_____________________________________________________________________

CVE-2020-10663: Unsafe Object Creation Vulnerability in JSON (Additional
fix)

Posted by mame on 19 Mar 2020

There is an unsafe object creation vulnerability in the json gem bundled
with Ruby. This vulnerability has been assigned the CVE identifier
CVE-2020-10663 .

We strongly recommend upgrading the json gem.


Details

When parsing certain JSON documents, the json gem (including the one
bundled with Ruby) can be coerced into creating arbitrary objects in the
target system.

This is the same issue as CVE-2013-0269 . The previous fix was
incomplete, which addressed JSON.parse(user_input) , but didn  t address
some other styles of JSON parsing including JSON(user_input) and
JSON.parse(user_input, nil) .

See CVE-2013-0269 in detail. Note that the issue was exploitable to
cause a Denial of Service by creating many garbage-uncollectable Symbol
objects, but this kind of attack is no longer valid because Symbol
objects are now garbage-collectable. However, creating arbitrary objects
may cause severe security consequences depending upon the application
code.

Please update the json gem to version 2.3.0 or later. You can use gem
update json to update it. If you are using bundler, please add gem
"json", ">= 2.3.0" to your Gemfile .


Affected versions

  o JSON gem 2.2.0 or prior


Credits

Thanks to Jeremy Evans for discovering this issue.


History

  o Originally published at 2020-03-19 13:00:00 (UTC)

=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================