<vuln vid="40194e1c-6d89-11ea-8082-80ee73419af3">

    <topic>rubygem-json -- Unsafe Objection Creation Vulnerability in JSON (Additional fix)</topic>

    <affects>

      <package>

	<name>rubygem-json</name>

	<range><le>2.3.0</le></range>

      </package>

    </affects>

    <description>

      <body xmlns="http://www.w3.org/1999/xhtml">

	<blockquote cite="https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/">

	  <p>When parsing certain JSON documents, the json gem (including the

	    one bundled with Ruby) can be coerced into creating arbitrary objects

	    in the target system.</p>

	  <p>This is the same issue as CVE-2013-0269. The previous fix was incomplete,

	     which addressed JSON.parse(user_input), but didn’t address some other

	     styles of JSON parsing including JSON(user_input) and

	     JSON.parse(user_input, nil).</p>

	  <p>See CVE-2013-0269 in detail. Note that the issue was exploitable to

	    cause a Denial of Service by creating many garbage-uncollectable

	    Symbol objects, but this kind of attack is no longer valid because

	    Symbol objects are now garbage-collectable. However, creating arbitrary

	    bjects may cause severe security consequences depending upon the

	    application code.</p>

	  <p>Please update the json gem to version 2.3.0 or later. You can use

	     gem update json to update it. If you are using bundler, please add

	     gem "json", "&gt;= 2.3.0" to your Gemfile.</p>

	</blockquote>

      </body>

    </description>

    <references>

      <url>https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/</url>

      <cvename>CVE-2020-10663</cvename>

    </references>

    <dates>

      <discovery>2020-03-19</discovery>

      <entry>2020-03-24</entry>

    </dates>

  </vuln>