In rubygem-json before 2.3.0 there is an unsafe object creation vulnerability. When parsing certain JSON documents, the json gem (including the one bundled with Ruby) can be coerced into creating arbitrary objects in the target system. This is the same issue as CVE-2013-0269. References: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/
Created jruby tracking bugs for this issue: Affects: fedora-all [bug 1827506] Created ruby tracking bugs for this issue: Affects: fedora-all [bug 1827505] Created ruby:2.5/ruby tracking bugs for this issue: Affects: fedora-all [bug 1827503] Created ruby:2.6/ruby tracking bugs for this issue: Affects: fedora-all [bug 1827504] Created rubygem-json tracking bugs for this issue: Affects: epel-6 [bug 1827502] Affects: fedora-all [bug 1827501]
https://hackerone.com/reports/706934 https://github.com/ruby/ruby/commit/36e9ed7fef6eb2d14becf6c52452e4ab16e4bf01
Statement: Red Hat CloudForms 5 uses vulnerable rubygem-json, however, is not vulnerable in Ruby since it does not use version which includes JSON into stdlib. This issue affects the version of JSON(embedded in pcs) as shipped with Red Hat Gluster Storage 3. However, the vulnerable method calls are currently not used by the product and hence this issue has been rated as having a security impact of Low.
External References: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663
Mitigation: To mitigate this vulnerability, do not supply untrusted user input and/or untrusted strings to the following method calls or utilize code libraries which do so: ``` JSON(user_input) JSON[user_input, nil] JSON.parse(user_input, nil) JSON::Parser.new(user_input).parse ``` Also note that JSON.load() should never be given input from unknown sources.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:2473 https://access.redhat.com/errata/RHSA-2020:2473
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10663
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:2462 https://access.redhat.com/errata/RHSA-2020:2462
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:2670 https://access.redhat.com/errata/RHSA-2020:2670
(In reply to Mamoru TASAKA from comment #5) > https://hackerone.com/reports/706934 > https://github.com/ruby/ruby/commit/36e9ed7fef6eb2d14becf6c52452e4ab16e4bf01 https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/ > Affected versions > JSON gem 2.2.0 or prior Note that the CVE-2020-10663 can also be fixed by upgrading Ruby to 2.7.1, 2.6.6 or 2.5.8. https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-7-1-released/ https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-6-6-released/ https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-5-8-released/
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:2104 https://access.redhat.com/errata/RHSA-2021:2104
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:2230 https://access.redhat.com/errata/RHSA-2021:2230
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:2587 https://access.redhat.com/errata/RHSA-2021:2587
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:2588 https://access.redhat.com/errata/RHSA-2021:2588
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2022:0581 https://access.redhat.com/errata/RHSA-2022:0581
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:0582 https://access.redhat.com/errata/RHSA-2022:0582