CVE-2020-10663: Input Validation

Published Mar 19, 2020
·
Updated

A flaw was found in rubygem-json. While parsing certain JSON documents, the json gem (including the one bundled with Ruby) can be coerced into creating arbitrary objects in the target system. This is the same issue as CVE-2013-0269.

Other sources

In rubygem-json before 2.3.0 there is an unsafe object creation vulnerability. When parsing certain JSON documents, the json gem (including the one bundled with Ruby) can be coerced into creating arbitrary objects in the target system. This is the same issue as CVE-2013-0269.

References:

https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/

Red Hat

Ruby. This issue was addressed with improved checks.

The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.

The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269/GHSA-x457-cw4h-hq5f, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.

Credit

Jeremy Evans

Affected Software

21 affected componentsFixes available
rubygems/json<2.3.0
2.3.0
redhat/pcs<0:0.10.4-6.el8_2.1
0:0.10.4-6.el8_2.1
redhat/pcs<0:0.10.1-4.el8_0.5
0:0.10.1-4.el8_0.5
redhat/pcs<0:0.10.2-4.el8_1.1
0:0.10.2-4.el8_1.1
redhat/rh-ruby25-ruby<0:2.5.9-9.el7
0:2.5.9-9.el7
redhat/rh-ruby26-ruby<0:2.6.7-119.el7
0:2.6.7-119.el7
debian/ruby-json
2.1.0+dfsg-2+deb10u12.3.0+dfsg-12.6.3+dfsg-1
debian/ruby2.5
2.5.5-3+deb10u42.5.5-3+deb10u6
debian/ruby2.7
2.7.4-1+deb11u1
redhat/rubygem-json<2.3.0
2.3.0
Apple macOS Big Sur<11.0.1
11.0.1
Json Project Json Ruby<=2.2.0
ruby-lang Ruby>=2.4.0<=2.4.9
ruby-lang Ruby>=2.5.0<=2.5.7
ruby-lang Ruby>=2.6.0<=2.6.5
Fedoraproject Fedora=30
Fedoraproject Fedora=31
openSUSE Leap=15.1
Debian Debian Linux=8.0
Debian Debian Linux=10.0
Apple macOS=11.0.1

Remediation

Information

To mitigate this vulnerability, do not supply untrusted user input and/or untrusted strings to the following method calls or utilize code libraries which do so: ``` JSON(user_input) JSON[user_input, nil] JSON.parse(user_input, nil) JSON::Parser.new(user_input).parse ``` Also note that JSON.load() should never be given input from unknown sources.

Event History

Mar 19, 2020
CVE Published
12:00 AM
Apr 24, 2020
Data Sourced
via Red Hat·04:18 AM
DescriptionSeverityAffected Software
Apr 28, 2020
CVE Published
via MITRE·08:58 PM
Data Sourced
via MITRE·08:58 PM
Description
Jul 27, 2020
Advisory Published
06:08 PM

Parent advisories

This vulnerability appears in the following advisories.

Peer vulnerabilities

Found alongside the following vulnerabilities.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2020-10663?

CVE-2020-10663 is an Unsafe Object Creation Vulnerability in the JSON gem for Ruby.

2

What software is affected by CVE-2020-10663?

Ruby versions 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5 are affected by CVE-2020-10663.

3

How severe is CVE-2020-10663?

CVE-2020-10663 has a severity value of 7, which is considered high.

4

What is the remedy for CVE-2020-10663?

To fix CVE-2020-10663, update your Ruby installation to a version that includes the fix.

5

Where can I find more information about CVE-2020-10663?

You can find more information about CVE-2020-10663 on the CVE website, NIST vulnerability database, Ruby's official website, and Red Hat's bugzilla and errata pages.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203