Details of VAR-202004-0061

ID

VAR-202004-0061

CVE

CVE-2020-10663

TITLE

Red Hat Security Advisory 2021-2104-01.tt

Trust: 0.1

sources: PACKETSTORM: 162764

DESCRIPTION

The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent. An attacker could exploit this vulnerability to forcibly create arbitrary objects on the target system. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: rh-ruby25-ruby security, bug fix, and enhancement update Advisory ID: RHSA-2021:2104-01 Product: Red Hat Software Collections Advisory URL: https://access.redhat.com/errata/RHSA-2021:2104 Issue date: 2021-05-25 CVE Names: CVE-2019-15845 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255 CVE-2020-10663 CVE-2020-10933 CVE-2020-25613 CVE-2021-28965 ===================================================================== 1. Summary: An update for rh-ruby25-ruby is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64le, s390x, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6) - noarch, ppc64le, s390x, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7) - noarch, ppc64le, s390x, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 3. Description: Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. The following packages have been upgraded to a later upstream version: rh-ruby25-ruby (2.5.9). (BZ#1952998) Security Fix(es): * ruby: NUL injection vulnerability of File.fnmatch and File.fnmatch? (CVE-2019-15845) * ruby: Regular expression denial of service vulnerability of WEBrick's Digest authentication (CVE-2019-16201) * ruby: Code injection via command argument of Shell#test / Shell#[] (CVE-2019-16255) * rubygem-json: Unsafe object creation vulnerability in JSON (CVE-2020-10663) * ruby: BasicSocket#read_nonblock method leads to information disclosure (CVE-2020-10933) * ruby: Potential HTTP request smuggling in WEBrick (CVE-2020-25613) * ruby: XML round-trip vulnerability in REXML (CVE-2021-28965) * ruby: HTTP response splitting in WEBrick (CVE-2019-16254) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * rh-ruby25-ruby: Resolv::DNS: timeouts if multiple IPv6 name servers are given and address contains leading zero [rhscl-3] (BZ#1953001) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Package List: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: rh-ruby25-ruby-2.5.9-9.el7.src.rpm noarch: rh-ruby25-ruby-doc-2.5.9-9.el7.noarch.rpm rh-ruby25-ruby-irb-2.5.9-9.el7.noarch.rpm rh-ruby25-rubygem-did_you_mean-1.2.0-9.el7.noarch.rpm rh-ruby25-rubygem-minitest-5.10.3-9.el7.noarch.rpm rh-ruby25-rubygem-net-telnet-0.1.1-9.el7.noarch.rpm rh-ruby25-rubygem-power_assert-1.1.1-9.el7.noarch.rpm rh-ruby25-rubygem-rake-12.3.3-9.el7.noarch.rpm rh-ruby25-rubygem-rdoc-6.0.1.1-9.el7.noarch.rpm rh-ruby25-rubygem-test-unit-3.2.7-9.el7.noarch.rpm rh-ruby25-rubygem-xmlrpc-0.3.0-9.el7.noarch.rpm rh-ruby25-rubygems-2.7.6.3-9.el7.noarch.rpm rh-ruby25-rubygems-devel-2.7.6.3-9.el7.noarch.rpm ppc64le: rh-ruby25-ruby-2.5.9-9.el7.ppc64le.rpm rh-ruby25-ruby-debuginfo-2.5.9-9.el7.ppc64le.rpm rh-ruby25-ruby-devel-2.5.9-9.el7.ppc64le.rpm rh-ruby25-ruby-libs-2.5.9-9.el7.ppc64le.rpm rh-ruby25-rubygem-bigdecimal-1.3.4-9.el7.ppc64le.rpm rh-ruby25-rubygem-io-console-0.4.6-9.el7.ppc64le.rpm rh-ruby25-rubygem-json-2.1.0-9.el7.ppc64le.rpm rh-ruby25-rubygem-openssl-2.1.2-9.el7.ppc64le.rpm rh-ruby25-rubygem-psych-3.0.2-9.el7.ppc64le.rpm s390x: rh-ruby25-ruby-2.5.9-9.el7.s390x.rpm rh-ruby25-ruby-debuginfo-2.5.9-9.el7.s390x.rpm rh-ruby25-ruby-devel-2.5.9-9.el7.s390x.rpm rh-ruby25-ruby-libs-2.5.9-9.el7.s390x.rpm rh-ruby25-rubygem-bigdecimal-1.3.4-9.el7.s390x.rpm rh-ruby25-rubygem-io-console-0.4.6-9.el7.s390x.rpm rh-ruby25-rubygem-json-2.1.0-9.el7.s390x.rpm rh-ruby25-rubygem-openssl-2.1.2-9.el7.s390x.rpm rh-ruby25-rubygem-psych-3.0.2-9.el7.s390x.rpm x86_64: rh-ruby25-ruby-2.5.9-9.el7.x86_64.rpm rh-ruby25-ruby-debuginfo-2.5.9-9.el7.x86_64.rpm rh-ruby25-ruby-devel-2.5.9-9.el7.x86_64.rpm rh-ruby25-ruby-libs-2.5.9-9.el7.x86_64.rpm rh-ruby25-rubygem-bigdecimal-1.3.4-9.el7.x86_64.rpm rh-ruby25-rubygem-io-console-0.4.6-9.el7.x86_64.rpm rh-ruby25-rubygem-json-2.1.0-9.el7.x86_64.rpm rh-ruby25-rubygem-openssl-2.1.2-9.el7.x86_64.rpm rh-ruby25-rubygem-psych-3.0.2-9.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6): Source: rh-ruby25-ruby-2.5.9-9.el7.src.rpm noarch: rh-ruby25-ruby-doc-2.5.9-9.el7.noarch.rpm rh-ruby25-ruby-irb-2.5.9-9.el7.noarch.rpm rh-ruby25-rubygem-did_you_mean-1.2.0-9.el7.noarch.rpm rh-ruby25-rubygem-minitest-5.10.3-9.el7.noarch.rpm rh-ruby25-rubygem-net-telnet-0.1.1-9.el7.noarch.rpm rh-ruby25-rubygem-power_assert-1.1.1-9.el7.noarch.rpm rh-ruby25-rubygem-rake-12.3.3-9.el7.noarch.rpm rh-ruby25-rubygem-rdoc-6.0.1.1-9.el7.noarch.rpm rh-ruby25-rubygem-test-unit-3.2.7-9.el7.noarch.rpm rh-ruby25-rubygem-xmlrpc-0.3.0-9.el7.noarch.rpm rh-ruby25-rubygems-2.7.6.3-9.el7.noarch.rpm rh-ruby25-rubygems-devel-2.7.6.3-9.el7.noarch.rpm ppc64le: rh-ruby25-ruby-2.5.9-9.el7.ppc64le.rpm rh-ruby25-ruby-debuginfo-2.5.9-9.el7.ppc64le.rpm rh-ruby25-ruby-devel-2.5.9-9.el7.ppc64le.rpm rh-ruby25-ruby-libs-2.5.9-9.el7.ppc64le.rpm rh-ruby25-rubygem-bigdecimal-1.3.4-9.el7.ppc64le.rpm rh-ruby25-rubygem-io-console-0.4.6-9.el7.ppc64le.rpm rh-ruby25-rubygem-json-2.1.0-9.el7.ppc64le.rpm rh-ruby25-rubygem-openssl-2.1.2-9.el7.ppc64le.rpm rh-ruby25-rubygem-psych-3.0.2-9.el7.ppc64le.rpm s390x: rh-ruby25-ruby-2.5.9-9.el7.s390x.rpm rh-ruby25-ruby-debuginfo-2.5.9-9.el7.s390x.rpm rh-ruby25-ruby-devel-2.5.9-9.el7.s390x.rpm rh-ruby25-ruby-libs-2.5.9-9.el7.s390x.rpm rh-ruby25-rubygem-bigdecimal-1.3.4-9.el7.s390x.rpm rh-ruby25-rubygem-io-console-0.4.6-9.el7.s390x.rpm rh-ruby25-rubygem-json-2.1.0-9.el7.s390x.rpm rh-ruby25-rubygem-openssl-2.1.2-9.el7.s390x.rpm rh-ruby25-rubygem-psych-3.0.2-9.el7.s390x.rpm x86_64: rh-ruby25-ruby-2.5.9-9.el7.x86_64.rpm rh-ruby25-ruby-debuginfo-2.5.9-9.el7.x86_64.rpm rh-ruby25-ruby-devel-2.5.9-9.el7.x86_64.rpm rh-ruby25-ruby-libs-2.5.9-9.el7.x86_64.rpm rh-ruby25-rubygem-bigdecimal-1.3.4-9.el7.x86_64.rpm rh-ruby25-rubygem-io-console-0.4.6-9.el7.x86_64.rpm rh-ruby25-rubygem-json-2.1.0-9.el7.x86_64.rpm rh-ruby25-rubygem-openssl-2.1.2-9.el7.x86_64.rpm rh-ruby25-rubygem-psych-3.0.2-9.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7): Source: rh-ruby25-ruby-2.5.9-9.el7.src.rpm noarch: rh-ruby25-ruby-doc-2.5.9-9.el7.noarch.rpm rh-ruby25-ruby-irb-2.5.9-9.el7.noarch.rpm rh-ruby25-rubygem-did_you_mean-1.2.0-9.el7.noarch.rpm rh-ruby25-rubygem-minitest-5.10.3-9.el7.noarch.rpm rh-ruby25-rubygem-net-telnet-0.1.1-9.el7.noarch.rpm rh-ruby25-rubygem-power_assert-1.1.1-9.el7.noarch.rpm rh-ruby25-rubygem-rake-12.3.3-9.el7.noarch.rpm rh-ruby25-rubygem-rdoc-6.0.1.1-9.el7.noarch.rpm rh-ruby25-rubygem-test-unit-3.2.7-9.el7.noarch.rpm rh-ruby25-rubygem-xmlrpc-0.3.0-9.el7.noarch.rpm rh-ruby25-rubygems-2.7.6.3-9.el7.noarch.rpm rh-ruby25-rubygems-devel-2.7.6.3-9.el7.noarch.rpm ppc64le: rh-ruby25-ruby-2.5.9-9.el7.ppc64le.rpm rh-ruby25-ruby-debuginfo-2.5.9-9.el7.ppc64le.rpm rh-ruby25-ruby-devel-2.5.9-9.el7.ppc64le.rpm rh-ruby25-ruby-libs-2.5.9-9.el7.ppc64le.rpm rh-ruby25-rubygem-bigdecimal-1.3.4-9.el7.ppc64le.rpm rh-ruby25-rubygem-io-console-0.4.6-9.el7.ppc64le.rpm rh-ruby25-rubygem-json-2.1.0-9.el7.ppc64le.rpm rh-ruby25-rubygem-openssl-2.1.2-9.el7.ppc64le.rpm rh-ruby25-rubygem-psych-3.0.2-9.el7.ppc64le.rpm s390x: rh-ruby25-ruby-2.5.9-9.el7.s390x.rpm rh-ruby25-ruby-debuginfo-2.5.9-9.el7.s390x.rpm rh-ruby25-ruby-devel-2.5.9-9.el7.s390x.rpm rh-ruby25-ruby-libs-2.5.9-9.el7.s390x.rpm rh-ruby25-rubygem-bigdecimal-1.3.4-9.el7.s390x.rpm rh-ruby25-rubygem-io-console-0.4.6-9.el7.s390x.rpm rh-ruby25-rubygem-json-2.1.0-9.el7.s390x.rpm rh-ruby25-rubygem-openssl-2.1.2-9.el7.s390x.rpm rh-ruby25-rubygem-psych-3.0.2-9.el7.s390x.rpm x86_64: rh-ruby25-ruby-2.5.9-9.el7.x86_64.rpm rh-ruby25-ruby-debuginfo-2.5.9-9.el7.x86_64.rpm rh-ruby25-ruby-devel-2.5.9-9.el7.x86_64.rpm rh-ruby25-ruby-libs-2.5.9-9.el7.x86_64.rpm rh-ruby25-rubygem-bigdecimal-1.3.4-9.el7.x86_64.rpm rh-ruby25-rubygem-io-console-0.4.6-9.el7.x86_64.rpm rh-ruby25-rubygem-json-2.1.0-9.el7.x86_64.rpm rh-ruby25-rubygem-openssl-2.1.2-9.el7.x86_64.rpm rh-ruby25-rubygem-psych-3.0.2-9.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7): Source: rh-ruby25-ruby-2.5.9-9.el7.src.rpm noarch: rh-ruby25-ruby-doc-2.5.9-9.el7.noarch.rpm rh-ruby25-ruby-irb-2.5.9-9.el7.noarch.rpm rh-ruby25-rubygem-did_you_mean-1.2.0-9.el7.noarch.rpm rh-ruby25-rubygem-minitest-5.10.3-9.el7.noarch.rpm rh-ruby25-rubygem-net-telnet-0.1.1-9.el7.noarch.rpm rh-ruby25-rubygem-power_assert-1.1.1-9.el7.noarch.rpm rh-ruby25-rubygem-rake-12.3.3-9.el7.noarch.rpm rh-ruby25-rubygem-rdoc-6.0.1.1-9.el7.noarch.rpm rh-ruby25-rubygem-test-unit-3.2.7-9.el7.noarch.rpm rh-ruby25-rubygem-xmlrpc-0.3.0-9.el7.noarch.rpm rh-ruby25-rubygems-2.7.6.3-9.el7.noarch.rpm rh-ruby25-rubygems-devel-2.7.6.3-9.el7.noarch.rpm x86_64: rh-ruby25-ruby-2.5.9-9.el7.x86_64.rpm rh-ruby25-ruby-debuginfo-2.5.9-9.el7.x86_64.rpm rh-ruby25-ruby-devel-2.5.9-9.el7.x86_64.rpm rh-ruby25-ruby-libs-2.5.9-9.el7.x86_64.rpm rh-ruby25-rubygem-bigdecimal-1.3.4-9.el7.x86_64.rpm rh-ruby25-rubygem-io-console-0.4.6-9.el7.x86_64.rpm rh-ruby25-rubygem-json-2.1.0-9.el7.x86_64.rpm rh-ruby25-rubygem-openssl-2.1.2-9.el7.x86_64.rpm rh-ruby25-rubygem-psych-3.0.2-9.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-15845 https://access.redhat.com/security/cve/CVE-2019-16201 https://access.redhat.com/security/cve/CVE-2019-16254 https://access.redhat.com/security/cve/CVE-2019-16255 https://access.redhat.com/security/cve/CVE-2020-10663 https://access.redhat.com/security/cve/CVE-2020-10933 https://access.redhat.com/security/cve/CVE-2020-25613 https://access.redhat.com/security/cve/CVE-2021-28965 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYKz4Z9zjgjWX9erEAQiSGhAAolhk0URp2zYTGrVhSmNdAVBtSoAd6btc ddv/r5SiXmDuIVM9yUYeLkG62c0cLJOEKENN5ejBg0okwi4sEyd0qOQOEEGB0hSb qGtsePb5k8qDrS8jadaYBldgEhzE9wOKpZHet5+P+NPVTlLmbwNs7feeP5pTjoiv tacVQgkEsyNyQk1EtOm7IZpdoYwc2oQcA490c3ydG+LKBC/Sw6y3UeugEc1uhQl4 Da0VzGlK3wBd33hT5Sr/8hYZsjUUGKTUmmyuWomN3oJJzxCO3JEj0MY1P9O5ADmN 3KQ8jOe4eYW9XK51JqUoKuSLViTNiZLYUiNJmG7jEh1/aRcbPSm4wns467vb9xzC zaAhS4vXnLSTJw7sUrAqudN+pvmH9qcHJ3/RtSaYOQNU01uyy6r2XTSXcOXKmkYa qBv3WmxnPgRR9H2jczj9Qvnqt7TjhiTE1sceAPDEmUY00TFC4hmcons3vleqxI1s nJi5oKmns3+POTiurLDkoiK5wVY2Uexos8D5sA7PsKIuve3UNeOOzm6OVRp60eqF MusHiyR0SG+C2cICx1zog5Z2k1FSI0s/yGprY61qxZAsA+znaJeAFCjlDJPoeoTK lfBP2x/L7KD40pq2LmuE8Y3oEHeF4D5K5yCXJIFxKHrCUFafD++U8GzXd2vjWTxu VVreNcSVN/E= =m8n+ -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . 8) - aarch64, noarch, ppc64le, s390x, x86_64 3. ========================================================================== Ubuntu Security Notice USN-4882-1 March 18, 2021 ruby2.3, ruby2.5, ruby2.7 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.10 - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Several security issues were fixed in Ruby. If a user or automated system were tricked into parsing a specially crafted JSON file, a remote attacker could use this issue to execute arbitrary code. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2020-10663) It was discovered that Ruby incorrectly handled certain socket memory operations. A remote attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-10933) It was discovered that Ruby incorrectly handled certain transfer-encoding headers when using Webrick. A remote attacker could possibly use this issue to bypass a reverse proxy. (CVE-2020-25613) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.10: libruby2.7 2.7.1-3ubuntu1.2 ruby2.7 2.7.1-3ubuntu1.2 Ubuntu 20.04 LTS: libruby2.7 2.7.0-5ubuntu1.3 ruby2.7 2.7.0-5ubuntu1.3 Ubuntu 18.04 LTS: libruby2.5 2.5.1-1ubuntu1.8 ruby2.5 2.5.1-1ubuntu1.8 Ubuntu 16.04 LTS: libruby2.3 2.3.1-2~ubuntu16.04.15 ruby2.3 2.3.1-2~ubuntu16.04.15 In general, a standard system update will make all the necessary changes. Bug Fix(es): * [GUI] Colocation constraint can't be added (BZ#1840157) 4. 8) - ppc64le, s390x, x86_64 3. Description: The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Bug Fix(es): * pcs status on remotes is not working on rhel8.2 any longer (BZ#1832914) * pcs cluster stop --all throws errors and doesn't seem to honor the request-timeout option (BZ#1838084) * [GUI] Colocation constraint can't be added (BZ#1840158) 4. Bugs fixed (https://bugzilla.redhat.com/): 1827500 - CVE-2020-10663 rubygem-json: Unsafe Object Creation Vulnerability in JSON 1832914 - pcs status on remotes is not working on rhel8.2 any longer [rhel-8.2.0.z] 1838084 - pcs cluster stop --all throws errors and doesn't seem to honor the request-timeout option [rhel-8.2.0.z] 1840158 - [GUI] Colocation constraint can't be added [rhel-8.2.0.z] 6. When parsing certain JSON documents, the json gem can be coerced into creating arbitrary objects in the target system. CVE-2020-10933 Samuel Williams reported a flaw in the socket library which may lead to exposure of possibly sensitive data from the interpreter. For the stable distribution (buster), these problems have been fixed in version 2.5.5-3+deb10u2. We recommend that you upgrade your ruby2.5 packages. For the detailed security status of ruby2.5 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ruby2.5 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl8F5jVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RT1Q/9EmtF3l9EwsTqV0RaU0CvycnypEEHk0vahqwtDKe5m1j13RlbhU5PfeNm n8E4pzw30+zROL8vxrCBQbAkBLACJOD9GwnA1G5mUnga1m49+5TyHEfPTFDsZHZ7 XqWuIJiQpOaPAi9xlywyqxji8OHPND2NNtCF1xk3Mpfk/7Y5JNJjFPnQnprfB4Hf c8AMjgmjV4ElJ60ALpXQzP7snVs4S+LA+Qb2O7V05u8zW0ytiEGTJNKrdG/+Rkrm XKUrEwPJLOU9DlR1JDXD491tOSYGiQdS/vWNQsyGKArpdDbhAUOybWZinD6ZG0KR L7atC327+eNDhpIKcmS4jMRnoQwjmlgPK6m0YwF4mKmyL4lWKwqCddDnIfr7jRSq bW3esnLJatEJiUbcSLpuBn0qO5f6HYb1iRhXJDQlPsuySIjObkn+rim9Bvo0NOQZ SZx74Rv1KX/kYpU4KcZyoygRuuWzl3pPYRj5BYJOViDGIcSKay4w7oypLjSWg7b3 BQfKQ7MbIVIXLk27fS/mOKpG0uXM5cer7LGnZSovl+KQmgp4gBdtCpuzat7Jz3YI tJDwDSjfhUQu8Uew+6bnvDUJ+zFEp/fEly2ueZFSYkkPmWPMcaI3OIk/Q2dLt5ZX gC+Vad6gT/C2UBYZCxxcBTHOcAlImTQ/JPCQMOGrvZM6t7QouuA= =rTdk -----END PGP SIGNATURE-----

Trust: 1.8

sources: NVD: CVE-2020-10663 // VULHUB: VHN-163164 // VULMON: CVE-2020-10663 // PACKETSTORM: 162764 // PACKETSTORM: 163318 // PACKETSTORM: 161870 // PACKETSTORM: 158184 // PACKETSTORM: 158023 // PACKETSTORM: 158018 // PACKETSTORM: 166075 // PACKETSTORM: 168868

AFFECTED PRODUCTS

vendor:	opensuse	model:	leap	scope:	eq	version:	15.1	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	8.0	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	10.0	Trust: 1.0
vendor:	json	model:	json	scope:	lte	version:	2.2.0	Trust: 1.0
vendor:	fedoraproject	model:	fedora	scope:	eq	version:	30	Trust: 1.0
vendor:	fedoraproject	model:	fedora	scope:	eq	version:	31	Trust: 1.0
vendor:	apple	model:	macos	scope:	eq	version:	11.0.1	Trust: 1.0

sources: NVD: CVE-2020-10663

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-10663
value:	HIGH
Trust: 1.0
VULHUB:	VHN-163164
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2020-10663
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-10663
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
VULHUB:	VHN-163164
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-10663
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0

sources: VULHUB: VHN-163164 // VULMON: CVE-2020-10663 // NVD: CVE-2020-10663

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.1

sources: VULHUB: VHN-163164 // NVD: CVE-2020-10663

THREAT TYPE

remote

Trust: 0.1

sources: PACKETSTORM: 161870

TYPE

arbitrary

Trust: 0.1

sources: PACKETSTORM: 161870

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-163164

PATCH

title:	Red Hat: Moderate: pcs security and bug fix update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20202473 - Security Advisory	Trust: 0.1
title:	Red Hat: Moderate: pcs security and bug fix update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20202670 - Security Advisory	Trust: 0.1
title:	Debian Security Advisories: DSA-4721-1 ruby2.5 -- security update	url:	https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=5216eb40be88e11afae842c5a0cad903	Trust: 0.1
title:	Amazon Linux AMI: ALAS-2020-1426	url:	https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami&qid=ALAS-2020-1426	Trust: 0.1
title:	Amazon Linux AMI: ALAS-2020-1423	url:	https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami&qid=ALAS-2020-1423	Trust: 0.1
title:	Amazon Linux AMI: ALAS-2020-1416	url:	https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami&qid=ALAS-2020-1416	Trust: 0.1
title:	Amazon Linux 2: ALAS2-2021-1641	url:	https://vulmon.com/vendoradvisory?qidtp=amazon_linux2&qid=ALAS2-2021-1641	Trust: 0.1
title:	Red Hat: Important: ruby:2.6 security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20220582 - Security Advisory	Trust: 0.1
title:	Red Hat: Important: ruby:2.6 security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20220581 - Security Advisory	Trust: 0.1
title:	Amazon Linux AMI: ALAS-2020-1422	url:	https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami&qid=ALAS-2020-1422	Trust: 0.1
title:	Amazon Linux 2: ALASRUBY2.6-2023-007	url:	https://vulmon.com/vendoradvisory?qidtp=amazon_linux2&qid=ALASRUBY2.6-2023-007	Trust: 0.1
title:	mandrill-api-ruby	url:	https://github.com/CareerJSM/mandrill-api-ruby	Trust: 0.1
title:	gem mandrill-api	url:	https://github.com/szmo/mandrill-api-updated	Trust: 0.1
title:	mandrill-api-ruby	url:	https://github.com/retailzipline/mandrill-api-ruby	Trust: 0.1
title:	Workaround for CVE-2020-10663 (vulnerability in json gem)	url:	https://github.com/rails-lts/json_cve_2020_10663	Trust: 0.1
title:	gem mandrill-api	url:	https://github.com/getaway-house/gem-mandrill-api	Trust: 0.1
title:	CodeQuality	url:	https://github.com/rainchen/code_quality	Trust: 0.1
title:	https://github.com/francois/bundler-slowness-repro	url:	https://github.com/francois/bundler-slowness-repro	Trust: 0.1
title:	PoC in GitHub	url:	https://github.com/soosmile/POC	Trust: 0.1
title:	PoC in GitHub	url:	https://github.com/developer3000S/PoC-in-GitHub	Trust: 0.1
title:	PoC in GitHub	url:	https://github.com/hectorgie/PoC-in-GitHub	Trust: 0.1
title:	veracode-container-security-finding-parser	url:	https://github.com/vincent-deng/veracode-container-security-finding-parser	Trust: 0.1
title:	PoC in GitHub	url:	https://github.com/0xT11/CVE-POC	Trust: 0.1

sources: VULMON: CVE-2020-10663

EXTERNAL IDS

db:	NVD	id:	CVE-2020-10663	Trust: 2.0
db:	PACKETSTORM	id:	161870	Trust: 0.2
db:	PACKETSTORM	id:	158023	Trust: 0.2
db:	PACKETSTORM	id:	158184	Trust: 0.2
db:	PACKETSTORM	id:	162764	Trust: 0.2
db:	PACKETSTORM	id:	163318	Trust: 0.2
db:	PACKETSTORM	id:	158018	Trust: 0.2
db:	PACKETSTORM	id:	163317	Trust: 0.1
db:	PACKETSTORM	id:	160545	Trust: 0.1
db:	PACKETSTORM	id:	162953	Trust: 0.1
db:	CNVD	id:	CNVD-2020-32355	Trust: 0.1
db:	CNNVD	id:	CNNVD-202003-1294	Trust: 0.1
db:	VULHUB	id:	VHN-163164	Trust: 0.1
db:	VULMON	id:	CVE-2020-10663	Trust: 0.1
db:	PACKETSTORM	id:	166075	Trust: 0.1
db:	PACKETSTORM	id:	168868	Trust: 0.1

sources: VULHUB: VHN-163164 // VULMON: CVE-2020-10663 // PACKETSTORM: 162764 // PACKETSTORM: 163318 // PACKETSTORM: 161870 // PACKETSTORM: 158184 // PACKETSTORM: 158023 // PACKETSTORM: 158018 // PACKETSTORM: 166075 // PACKETSTORM: 168868 // NVD: CVE-2020-10663

REFERENCES

url:	https://www.debian.org/security/2020/dsa-4721	Trust: 1.3
url:	https://security.netapp.com/advisory/ntap-20210129-0003/	Trust: 1.2
url:	https://support.apple.com/kb/ht211931	Trust: 1.2
url:	https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/	Trust: 1.2
url:	http://seclists.org/fulldisclosure/2020/dec/32	Trust: 1.2
url:	https://lists.debian.org/debian-lts-announce/2020/04/msg00030.html	Trust: 1.2
url:	http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00004.html	Trust: 1.2
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7ql6mjd2bo4irj5cjfnmcdymqqft24bj/	Trust: 1.1
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/nk2pbxwmfrud7u7q7lhv4kylyid77ri4/	Trust: 1.1
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/f4tnvtt66vprmx5uzysdgsvrxkkdddu5/	Trust: 1.1
url:	https://lists.apache.org/thread.html/r8d2e174230f6d26e16c007546e804c343f1f68956f526daaafa4aaae%40%3cdev.zookeeper.apache.org%3e	Trust: 1.1
url:	https://lists.apache.org/thread.html/rd9b9cc843f5cf5b532bdad9e87a817967efcf52b917e8c43b6df4cc7%40%3cissues.zookeeper.apache.org%3e	Trust: 1.1
url:	https://lists.apache.org/thread.html/ree3abcd33c06ee95ab59faa1751198a1186d8941ddc2c2562c12966c%40%3cissues.zookeeper.apache.org%3e	Trust: 1.1
url:	https://lists.apache.org/thread.html/rb023d54a46da1ac0d8969097f5fecc79636b07d3b80db7b818a5c55c%40%3cissues.zookeeper.apache.org%3e	Trust: 1.1
url:	https://lists.apache.org/thread.html/rb2b981912446a74e14fe6076c4b7c7d8502727ea0718e6a65a9b1be5%40%3cissues.zookeeper.apache.org%3e	Trust: 1.1
url:	https://lists.apache.org/thread.html/r5f17bfca1d6e7f4b33ae978725b2fd62a9f1b3111696eafa9add802d%40%3cissues.zookeeper.apache.org%3e	Trust: 1.1
url:	https://lists.apache.org/thread.html/rec8bb4d637b04575da41cfae49118e108e95d43bfac39b7b698ee4db%40%3cissues.zookeeper.apache.org%3e	Trust: 1.1
url:	https://lists.apache.org/thread.html/r37c0e1807da7ff2bdd028bbe296465a6bbb99e2320dbe661d5d8b33b%40%3cissues.zookeeper.apache.org%3e	Trust: 1.1
url:	https://lists.apache.org/thread.html/r3b04f4e99a19613f88ae088aa18cd271231a3c79dfff8f5efa8cda61%40%3cissues.zookeeper.apache.org%3e	Trust: 1.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10663	Trust: 0.8
url:	https://access.redhat.com/security/cve/cve-2020-10663	Trust: 0.6
url:	https://access.redhat.com/articles/11258	Trust: 0.6
url:	https://access.redhat.com/security/team/key/	Trust: 0.6
url:	https://access.redhat.com/security/team/contact/	Trust: 0.6
url:	https://bugzilla.redhat.com/):	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10933	Trust: 0.5
url:	https://access.redhat.com/security/updates/classification/#moderate	Trust: 0.5
url:	https://nvd.nist.gov/vuln/detail/cve-2020-25613	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2020-10933	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2019-15845	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-25613	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-16255	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-16201	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-16254	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2019-16254	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-15845	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2019-16201	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2021-28965	Trust: 0.3
url:	https://listman.redhat.com/mailman/listinfo/rhsa-announce	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2021-28965	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2019-16255	Trust: 0.3
url:	https://www.redhat.com/mailman/listinfo/rhsa-announce	Trust: 0.3
url:	https://access.redhat.com/errata/rhsa-2020:2473	Trust: 0.2
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ql6mjd2bo4irj5cjfnmcdymqqft24bj/	Trust: 0.1
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/f4tnvtt66vprmx5uzysdgsvrxkkdddu5/	Trust: 0.1
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/nk2pbxwmfrud7u7q7lhv4kylyid77ri4/	Trust: 0.1
url:	https://lists.apache.org/thread.html/r8d2e174230f6d26e16c007546e804c343f1f68956f526daaafa4aaae@%3cdev.zookeeper.apache.org%3e	Trust: 0.1
url:	https://lists.apache.org/thread.html/rd9b9cc843f5cf5b532bdad9e87a817967efcf52b917e8c43b6df4cc7@%3cissues.zookeeper.apache.org%3e	Trust: 0.1
url:	https://lists.apache.org/thread.html/ree3abcd33c06ee95ab59faa1751198a1186d8941ddc2c2562c12966c@%3cissues.zookeeper.apache.org%3e	Trust: 0.1
url:	https://lists.apache.org/thread.html/rb023d54a46da1ac0d8969097f5fecc79636b07d3b80db7b818a5c55c@%3cissues.zookeeper.apache.org%3e	Trust: 0.1
url:	https://lists.apache.org/thread.html/rb2b981912446a74e14fe6076c4b7c7d8502727ea0718e6a65a9b1be5@%3cissues.zookeeper.apache.org%3e	Trust: 0.1
url:	https://lists.apache.org/thread.html/r5f17bfca1d6e7f4b33ae978725b2fd62a9f1b3111696eafa9add802d@%3cissues.zookeeper.apache.org%3e	Trust: 0.1
url:	https://lists.apache.org/thread.html/rec8bb4d637b04575da41cfae49118e108e95d43bfac39b7b698ee4db@%3cissues.zookeeper.apache.org%3e	Trust: 0.1
url:	https://lists.apache.org/thread.html/r3b04f4e99a19613f88ae088aa18cd271231a3c79dfff8f5efa8cda61@%3cissues.zookeeper.apache.org%3e	Trust: 0.1
url:	https://lists.apache.org/thread.html/r37c0e1807da7ff2bdd028bbe296465a6bbb99e2320dbe661d5d8b33b@%3cissues.zookeeper.apache.org%3e	Trust: 0.1
url:	https://cwe.mitre.org/data/definitions/20.html	Trust: 0.1
url:	https://github.com/careerjsm/mandrill-api-ruby	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2021:2104	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-3881	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2021:2588	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-3881	Trust: 0.1
url:	https://launchpad.net/ubuntu/+source/ruby2.5/2.5.1-1ubuntu1.8	Trust: 0.1
url:	https://ubuntu.com/security/notices/usn-4882-1	Trust: 0.1
url:	https://launchpad.net/ubuntu/+source/ruby2.7/2.7.0-5ubuntu1.3	Trust: 0.1
url:	https://launchpad.net/ubuntu/+source/ruby2.7/2.7.1-3ubuntu1.2	Trust: 0.1
url:	https://launchpad.net/ubuntu/+source/ruby2.3/2.3.1-2~ubuntu16.04.15	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2020:2670	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2020:2462	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-36327	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2021-32066	Trust: 0.1
url:	https://access.redhat.com/security/updates/classification/#important	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-41817	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-31810	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2021-31810	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-32066	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2021-31799	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:0582	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-31799	Trust: 0.1
url:	https://access.redhat.com/articles/6206172	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-36327	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2021-41819	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2021-41817	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-41819	Trust: 0.1
url:	https://security-tracker.debian.org/tracker/ruby2.5	Trust: 0.1
url:	https://www.debian.org/security/faq	Trust: 0.1
url:	https://www.debian.org/security/	Trust: 0.1

CREDITS

Red Hat

Trust: 0.6

sources: PACKETSTORM: 162764 // PACKETSTORM: 163318 // PACKETSTORM: 158184 // PACKETSTORM: 158023 // PACKETSTORM: 158018 // PACKETSTORM: 166075

SOURCES

db:	VULHUB	id:	VHN-163164
db:	VULMON	id:	CVE-2020-10663
db:	PACKETSTORM	id:	162764
db:	PACKETSTORM	id:	163318
db:	PACKETSTORM	id:	161870
db:	PACKETSTORM	id:	158184
db:	PACKETSTORM	id:	158023
db:	PACKETSTORM	id:	158018
db:	PACKETSTORM	id:	166075
db:	PACKETSTORM	id:	168868
db:	NVD	id:	CVE-2020-10663

LAST UPDATE DATE

2024-11-20T19:50:42.819000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-163164	date:	2022-04-18T00:00:00
db:	VULMON	id:	CVE-2020-10663	date:	2023-11-07T00:00:00
db:	NVD	id:	CVE-2020-10663	date:	2023-11-07T03:14:11.453

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-163164	date:	2020-04-28T00:00:00
db:	VULMON	id:	CVE-2020-10663	date:	2020-04-28T00:00:00
db:	PACKETSTORM	id:	162764	date:	2021-05-25T14:44:09
db:	PACKETSTORM	id:	163318	date:	2021-06-30T15:21:00
db:	PACKETSTORM	id:	161870	date:	2021-03-19T15:41:51
db:	PACKETSTORM	id:	158184	date:	2020-06-23T15:00:55
db:	PACKETSTORM	id:	158023	date:	2020-06-10T15:13:03
db:	PACKETSTORM	id:	158018	date:	2020-06-10T15:10:17
db:	PACKETSTORM	id:	166075	date:	2022-02-21T15:17:19
db:	PACKETSTORM	id:	168868	date:	2020-07-28T19:12:00
db:	NVD	id:	CVE-2020-10663	date:	2020-04-28T21:15:11.667