7.5

CVE-2020-10663

The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Json ProjectJson SwPlatformruby Version <= 2.2.0
   Ruby-langRuby Version >= 2.4.0 <= 2.4.9
   Ruby-langRuby Version >= 2.5.0 <= 2.5.7
   Ruby-langRuby Version >= 2.6.0 <= 2.6.5
FedoraprojectFedora Version30
FedoraprojectFedora Version31
OpensuseLeap Version15.1
DebianDebian Linux Version8.0
DebianDebian Linux Version10.0
ApplemacOS Version11.0.1
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 6.54% 0.908
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:N/I:P/A:N
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://seclists.org/fulldisclosure/2020/Dec/32
Third Party Advisory
Mailing List