Details of VAR-202004-0061

ID

VAR-202004-0061

CVE

CVE-2020-10663

TITLE

Ruby JSON gem Input validation error vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202003-1294

DESCRIPTION

The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent. An attacker could exploit this vulnerability to forcibly create arbitrary objects on the target system. 8) - aarch64, noarch, ppc64le, s390x, x86_64 3. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: rh-ruby26-ruby security, bug fix, and enhancement update Advisory ID: RHSA-2021:2230-01 Product: Red Hat Software Collections Advisory URL: https://access.redhat.com/errata/RHSA-2021:2230 Issue date: 2021-06-03 CVE Names: CVE-2019-3881 CVE-2019-15845 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255 CVE-2020-10663 CVE-2020-10933 CVE-2020-25613 CVE-2021-28965 ==================================================================== 1. Summary: An update for rh-ruby26-ruby is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Relevant releases/architectures: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64le, s390x, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7) - noarch, ppc64le, s390x, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 3. Description: Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. The following packages have been upgraded to a later upstream version: rh-ruby26-ruby (2.6.7). (BZ#1701182) Security Fix(es): * rubygem-bundler: Insecure permissions on directory in /tmp/ allows for execution of malicious code (CVE-2019-3881) * ruby: NUL injection vulnerability of File.fnmatch and File.fnmatch? (CVE-2019-15845) * ruby: Regular expression denial of service vulnerability of WEBrick's Digest authentication (CVE-2019-16201) * ruby: Code injection via command argument of Shell#test / Shell#[] (CVE-2019-16255) * rubygem-json: Unsafe object creation vulnerability in JSON (CVE-2020-10663) * ruby: BasicSocket#read_nonblock method leads to information disclosure (CVE-2020-10933) * ruby: Potential HTTP request smuggling in WEBrick (CVE-2020-25613) * ruby: XML round-trip vulnerability in REXML (CVE-2021-28965) * ruby: HTTP response splitting in WEBrick (CVE-2019-16254) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * rh-ruby26-ruby: Resolv::DNS: timeouts if multiple IPv6 name servers are given and address contains leading zero [rhscl-3] (BZ#1950331) Additional Changes: For detailed information on changes in this release, see the Red Hat Software Collections 3.7 Release Notes linked from the References section. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1651826 - CVE-2019-3881 rubygem-bundler: Insecure permissions on directory in /tmp/ allows for execution of malicious code 1773728 - CVE-2019-16201 ruby: Regular expression denial of service vulnerability of WEBrick's Digest authentication 1789407 - CVE-2019-15845 ruby: NUL injection vulnerability of File.fnmatch and File.fnmatch? 1789556 - CVE-2019-16254 ruby: HTTP response splitting in WEBrick 1793683 - CVE-2019-16255 ruby: Code injection via command argument of Shell#test / Shell#[] 1827500 - CVE-2020-10663 rubygem-json: Unsafe object creation vulnerability in JSON 1833291 - CVE-2020-10933 ruby: BasicSocket#read_nonblock method leads to information disclosure 1883623 - CVE-2020-25613 ruby: Potential HTTP request smuggling in WEBrick 1947526 - CVE-2021-28965 ruby: XML round-trip vulnerability in REXML 1950331 - rh-ruby26-ruby: Resolv::DNS: timeouts if multiple IPv6 name servers are given and address contains leading zero [rhscl-3] 6. Package List: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: rh-ruby26-ruby-2.6.7-119.el7.src.rpm noarch: rh-ruby26-ruby-doc-2.6.7-119.el7.noarch.rpm rh-ruby26-rubygem-bundler-1.17.2-119.el7.noarch.rpm rh-ruby26-rubygem-did_you_mean-1.3.0-119.el7.noarch.rpm rh-ruby26-rubygem-irb-1.0.0-119.el7.noarch.rpm rh-ruby26-rubygem-minitest-5.11.3-119.el7.noarch.rpm rh-ruby26-rubygem-net-telnet-0.2.0-119.el7.noarch.rpm rh-ruby26-rubygem-power_assert-1.1.3-119.el7.noarch.rpm rh-ruby26-rubygem-rake-12.3.3-119.el7.noarch.rpm rh-ruby26-rubygem-rdoc-6.1.2-119.el7.noarch.rpm rh-ruby26-rubygem-test-unit-3.2.9-119.el7.noarch.rpm rh-ruby26-rubygem-xmlrpc-0.3.0-119.el7.noarch.rpm rh-ruby26-rubygems-3.0.3.1-119.el7.noarch.rpm rh-ruby26-rubygems-devel-3.0.3.1-119.el7.noarch.rpm ppc64le: rh-ruby26-ruby-2.6.7-119.el7.ppc64le.rpm rh-ruby26-ruby-debuginfo-2.6.7-119.el7.ppc64le.rpm rh-ruby26-ruby-devel-2.6.7-119.el7.ppc64le.rpm rh-ruby26-ruby-libs-2.6.7-119.el7.ppc64le.rpm rh-ruby26-rubygem-bigdecimal-1.4.1-119.el7.ppc64le.rpm rh-ruby26-rubygem-io-console-0.4.7-119.el7.ppc64le.rpm rh-ruby26-rubygem-json-2.1.0-119.el7.ppc64le.rpm rh-ruby26-rubygem-openssl-2.1.2-119.el7.ppc64le.rpm rh-ruby26-rubygem-psych-3.1.0-119.el7.ppc64le.rpm s390x: rh-ruby26-ruby-2.6.7-119.el7.s390x.rpm rh-ruby26-ruby-debuginfo-2.6.7-119.el7.s390x.rpm rh-ruby26-ruby-devel-2.6.7-119.el7.s390x.rpm rh-ruby26-ruby-libs-2.6.7-119.el7.s390x.rpm rh-ruby26-rubygem-bigdecimal-1.4.1-119.el7.s390x.rpm rh-ruby26-rubygem-io-console-0.4.7-119.el7.s390x.rpm rh-ruby26-rubygem-json-2.1.0-119.el7.s390x.rpm rh-ruby26-rubygem-openssl-2.1.2-119.el7.s390x.rpm rh-ruby26-rubygem-psych-3.1.0-119.el7.s390x.rpm x86_64: rh-ruby26-ruby-2.6.7-119.el7.x86_64.rpm rh-ruby26-ruby-debuginfo-2.6.7-119.el7.x86_64.rpm rh-ruby26-ruby-devel-2.6.7-119.el7.x86_64.rpm rh-ruby26-ruby-libs-2.6.7-119.el7.x86_64.rpm rh-ruby26-rubygem-bigdecimal-1.4.1-119.el7.x86_64.rpm rh-ruby26-rubygem-io-console-0.4.7-119.el7.x86_64.rpm rh-ruby26-rubygem-json-2.1.0-119.el7.x86_64.rpm rh-ruby26-rubygem-openssl-2.1.2-119.el7.x86_64.rpm rh-ruby26-rubygem-psych-3.1.0-119.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7): Source: rh-ruby26-ruby-2.6.7-119.el7.src.rpm noarch: rh-ruby26-ruby-doc-2.6.7-119.el7.noarch.rpm rh-ruby26-rubygem-bundler-1.17.2-119.el7.noarch.rpm rh-ruby26-rubygem-did_you_mean-1.3.0-119.el7.noarch.rpm rh-ruby26-rubygem-irb-1.0.0-119.el7.noarch.rpm rh-ruby26-rubygem-minitest-5.11.3-119.el7.noarch.rpm rh-ruby26-rubygem-net-telnet-0.2.0-119.el7.noarch.rpm rh-ruby26-rubygem-power_assert-1.1.3-119.el7.noarch.rpm rh-ruby26-rubygem-rake-12.3.3-119.el7.noarch.rpm rh-ruby26-rubygem-rdoc-6.1.2-119.el7.noarch.rpm rh-ruby26-rubygem-test-unit-3.2.9-119.el7.noarch.rpm rh-ruby26-rubygem-xmlrpc-0.3.0-119.el7.noarch.rpm rh-ruby26-rubygems-3.0.3.1-119.el7.noarch.rpm rh-ruby26-rubygems-devel-3.0.3.1-119.el7.noarch.rpm ppc64le: rh-ruby26-ruby-2.6.7-119.el7.ppc64le.rpm rh-ruby26-ruby-debuginfo-2.6.7-119.el7.ppc64le.rpm rh-ruby26-ruby-devel-2.6.7-119.el7.ppc64le.rpm rh-ruby26-ruby-libs-2.6.7-119.el7.ppc64le.rpm rh-ruby26-rubygem-bigdecimal-1.4.1-119.el7.ppc64le.rpm rh-ruby26-rubygem-io-console-0.4.7-119.el7.ppc64le.rpm rh-ruby26-rubygem-json-2.1.0-119.el7.ppc64le.rpm rh-ruby26-rubygem-openssl-2.1.2-119.el7.ppc64le.rpm rh-ruby26-rubygem-psych-3.1.0-119.el7.ppc64le.rpm s390x: rh-ruby26-ruby-2.6.7-119.el7.s390x.rpm rh-ruby26-ruby-debuginfo-2.6.7-119.el7.s390x.rpm rh-ruby26-ruby-devel-2.6.7-119.el7.s390x.rpm rh-ruby26-ruby-libs-2.6.7-119.el7.s390x.rpm rh-ruby26-rubygem-bigdecimal-1.4.1-119.el7.s390x.rpm rh-ruby26-rubygem-io-console-0.4.7-119.el7.s390x.rpm rh-ruby26-rubygem-json-2.1.0-119.el7.s390x.rpm rh-ruby26-rubygem-openssl-2.1.2-119.el7.s390x.rpm rh-ruby26-rubygem-psych-3.1.0-119.el7.s390x.rpm x86_64: rh-ruby26-ruby-2.6.7-119.el7.x86_64.rpm rh-ruby26-ruby-debuginfo-2.6.7-119.el7.x86_64.rpm rh-ruby26-ruby-devel-2.6.7-119.el7.x86_64.rpm rh-ruby26-ruby-libs-2.6.7-119.el7.x86_64.rpm rh-ruby26-rubygem-bigdecimal-1.4.1-119.el7.x86_64.rpm rh-ruby26-rubygem-io-console-0.4.7-119.el7.x86_64.rpm rh-ruby26-rubygem-json-2.1.0-119.el7.x86_64.rpm rh-ruby26-rubygem-openssl-2.1.2-119.el7.x86_64.rpm rh-ruby26-rubygem-psych-3.1.0-119.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7): Source: rh-ruby26-ruby-2.6.7-119.el7.src.rpm noarch: rh-ruby26-ruby-doc-2.6.7-119.el7.noarch.rpm rh-ruby26-rubygem-bundler-1.17.2-119.el7.noarch.rpm rh-ruby26-rubygem-did_you_mean-1.3.0-119.el7.noarch.rpm rh-ruby26-rubygem-irb-1.0.0-119.el7.noarch.rpm rh-ruby26-rubygem-minitest-5.11.3-119.el7.noarch.rpm rh-ruby26-rubygem-net-telnet-0.2.0-119.el7.noarch.rpm rh-ruby26-rubygem-power_assert-1.1.3-119.el7.noarch.rpm rh-ruby26-rubygem-rake-12.3.3-119.el7.noarch.rpm rh-ruby26-rubygem-rdoc-6.1.2-119.el7.noarch.rpm rh-ruby26-rubygem-test-unit-3.2.9-119.el7.noarch.rpm rh-ruby26-rubygem-xmlrpc-0.3.0-119.el7.noarch.rpm rh-ruby26-rubygems-3.0.3.1-119.el7.noarch.rpm rh-ruby26-rubygems-devel-3.0.3.1-119.el7.noarch.rpm x86_64: rh-ruby26-ruby-2.6.7-119.el7.x86_64.rpm rh-ruby26-ruby-debuginfo-2.6.7-119.el7.x86_64.rpm rh-ruby26-ruby-devel-2.6.7-119.el7.x86_64.rpm rh-ruby26-ruby-libs-2.6.7-119.el7.x86_64.rpm rh-ruby26-rubygem-bigdecimal-1.4.1-119.el7.x86_64.rpm rh-ruby26-rubygem-io-console-0.4.7-119.el7.x86_64.rpm rh-ruby26-rubygem-json-2.1.0-119.el7.x86_64.rpm rh-ruby26-rubygem-openssl-2.1.2-119.el7.x86_64.rpm rh-ruby26-rubygem-psych-3.1.0-119.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-3881 https://access.redhat.com/security/cve/CVE-2019-15845 https://access.redhat.com/security/cve/CVE-2019-16201 https://access.redhat.com/security/cve/CVE-2019-16254 https://access.redhat.com/security/cve/CVE-2019-16255 https://access.redhat.com/security/cve/CVE-2020-10663 https://access.redhat.com/security/cve/CVE-2020-10933 https://access.redhat.com/security/cve/CVE-2020-25613 https://access.redhat.com/security/cve/CVE-2021-28965 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_software_collections/3/html/3.7_release_notes/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2020-12-14-4 Additional information for APPLE-SA-2020-11-13-1 macOS Big Sur 11.0.1 macOS Big Sur 11.0.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT211931. AMD Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved input validation. CVE-2020-27914: Yu Wang of Didi Research America CVE-2020-27915: Yu Wang of Didi Research America Entry added December 14, 2020 App Store Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: An application may be able to gain elevated privileges Description: This issue was addressed by removing the vulnerable code. CVE-2020-27903: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab Audio Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution Description: An out-of-bounds read was addressed with improved input validation. CVE-2020-27910: JunDong Xie and XingWei Lin of Ant Security Light- Year Lab Audio Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution Description: An out-of-bounds write was addressed with improved input validation. CVE-2020-27916: JunDong Xie of Ant Security Light-Year Lab Audio Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious application may be able to read restricted memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2020-9943: JunDong Xie of Ant Group Light-Year Security Lab Audio Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: An application may be able to read restricted memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2020-9944: JunDong Xie of Ant Group Light-Year Security Lab Bluetooth Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A remote attacker may be able to cause unexpected application termination or heap corruption Description: Multiple integer overflows were addressed with improved input validation. CVE-2020-27906: Zuozhi Fan (@pattern_F_) of Ant Group Tianqiong Security Lab CoreAudio Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution Description: An out-of-bounds read was addressed with improved input validation. CVE-2020-27908: JunDong Xie and XingWei Lin of Ant Security Light- Year Lab CVE-2020-27909: Anonymous working with Trend Micro Zero Day Initiative, JunDong Xie and XingWei Lin of Ant Security Light-Year Lab CVE-2020-9960: JunDong Xie and XingWei Lin of Ant Security Light-Year Lab Entry added December 14, 2020 CoreAudio Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution Description: An out-of-bounds write was addressed with improved input validation. CVE-2020-10017: Francis working with Trend Micro Zero Day Initiative, JunDong Xie of Ant Security Light-Year Lab CoreCapture Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A use after free issue was addressed with improved memory management. CVE-2020-9949: Proteas CoreGraphics Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: An out-of-bounds write was addressed with improved input validation. CVE-2020-9883: an anonymous researcher, Mickey Jin of Trend Micro Crash Reporter Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A local attacker may be able to elevate their privileges Description: An issue existed within the path validation logic for symlinks. This issue was addressed with improved path sanitization. CVE-2020-10003: Tim Michaud (@TimGMichaud) of Leviathan CoreText Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: A logic issue was addressed with improved state management. CVE-2020-27922: Mickey Jin of Trend Micro Entry added December 14, 2020 CoreText Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted text file may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved state management. CVE-2020-9999: Apple Entry updated December 14, 2020 Disk Images Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: An application may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds read was addressed with improved input validation. CVE-2020-9965: Proteas CVE-2020-9966: Proteas Finder Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Users may be unable to remove metadata indicating where files were downloaded from Description: The issue was addressed with additional user controls. CVE-2020-27894: Manuel Trezza of Shuggr (shuggr.com) FontParser Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: A buffer overflow was addressed with improved size validation. CVE-2020-9962: Yiğit Can YILMAZ (@yilmazcanyigit) Entry added December 14, 2020 FontParser Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: An out-of-bounds write was addressed with improved input validation. CVE-2020-27952: an anonymous researcher, Mickey Jin and Junzhi Lu of Trend Micro Entry added December 14, 2020 FontParser Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: An out-of-bounds read was addressed with improved input validation. CVE-2020-9956: Mickey Jin and Junzhi Lu of Trend Micro Mobile Security Research Team working with Trend Micro’s Zero Day Initiative Entry added December 14, 2020 FontParser Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: A memory corruption issue existed in the processing of font files. This issue was addressed with improved input validation. CVE-2020-27931: Apple Entry added December 14, 2020 FontParser Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted font may lead to arbitrary code execution. Apple is aware of reports that an exploit for this issue exists in the wild. Description: A memory corruption issue was addressed with improved input validation. CVE-2020-27930: Google Project Zero FontParser Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2020-27927: Xingwei Lin of Ant Security Light-Year Lab Foundation Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A local user may be able to read arbitrary files Description: A logic issue was addressed with improved state management. CVE-2020-10002: James Hutchins HomeKit Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: An attacker in a privileged network position may be able to unexpectedly alter application state Description: This issue was addressed with improved setting propagation. CVE-2020-9978: Luyi Xing, Dongfang Zhao, and Xiaofeng Wang of Indiana University Bloomington, Yan Jia of Xidian University and University of Chinese Academy of Sciences, and Bin Yuan of HuaZhong University of Science and Technology Entry added December 14, 2020 ImageIO Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2020-9955: Mickey Jin of Trend Micro, Xingwei Lin of Ant Security Light-Year Lab Entry added December 14, 2020 ImageIO Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: An out-of-bounds read was addressed with improved input validation. CVE-2020-27924: Lei Sun Entry added December 14, 2020 ImageIO Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: An out-of-bounds write was addressed with improved input validation. CVE-2020-27912: Xingwei Lin of Ant Security Light-Year Lab CVE-2020-27923: Lei Sun Entry updated December 14, 2020 ImageIO Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2020-9876: Mickey Jin of Trend Micro Intel Graphics Driver Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: An application may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2020-10015: ABC Research s.r.o. working with Trend Micro Zero Day Initiative CVE-2020-27897: Xiaolong Bai and Min (Spark) Zheng of Alibaba Inc., and Luyi Xing of Indiana University Bloomington Entry added December 14, 2020 Intel Graphics Driver Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2020-27907: ABC Research s.r.o. working with Trend Micro Zero Day Initiative Entry added December 14, 2020 Image Processing Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: An out-of-bounds write was addressed with improved input validation. CVE-2020-27919: Hou JingYi (@hjy79425575) of Qihoo 360 CERT, Xingwei Lin of Ant Security Light-Year Lab Entry added December 14, 2020 Kernel Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory Description: Multiple memory corruption issues were addressed with improved input validation. CVE-2020-9967: Alex Plaskett (@alexjplaskett) Entry added December 14, 2020 Kernel Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A use after free issue was addressed with improved memory management. CVE-2020-9975: Tielei Wang of Pangu Lab Entry added December 14, 2020 Kernel Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A race condition was addressed with improved state handling. CVE-2020-27921: Linus Henze (pinauten.de) Entry added December 14, 2020 Kernel Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A logic issue existed resulting in memory corruption. This was addressed with improved state management. CVE-2020-27904: Zuozhi Fan (@pattern_F_) of Ant Group Tianqong Security Lab Kernel Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: An attacker in a privileged network position may be able to inject into active connections within a VPN tunnel Description: A routing issue was addressed with improved restrictions. CVE-2019-14899: William J. Tolley, Beau Kujath, and Jedidiah R. Crandall Kernel Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious application may be able to disclose kernel memory. Apple is aware of reports that an exploit for this issue exists in the wild. Description: A memory initialization issue was addressed. CVE-2020-27950: Google Project Zero Kernel Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious application may be able to determine kernel memory layout Description: A logic issue was addressed with improved state management. CVE-2020-9974: Tommy Muir (@Muirey03) Kernel Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved state management. CVE-2020-10016: Alex Helie Kernel Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of reports that an exploit for this issue exists in the wild. Description: A type confusion issue was addressed with improved state handling. CVE-2020-27932: Google Project Zero libxml2 Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing maliciously crafted web content may lead to code execution Description: A use after free issue was addressed with improved memory management. CVE-2020-27917: found by OSS-Fuzz CVE-2020-27920: found by OSS-Fuzz Entry updated December 14, 2020 libxml2 Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution Description: An integer overflow was addressed through improved input validation. CVE-2020-27911: found by OSS-Fuzz libxpc Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious application may be able to elevate privileges Description: A logic issue was addressed with improved validation. CVE-2020-9971: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab Entry added December 14, 2020 libxpc Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious application may be able to break out of its sandbox Description: A parsing issue in the handling of directory paths was addressed with improved path validation. CVE-2020-10014: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab Logging Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A local attacker may be able to elevate their privileges Description: A path handling issue was addressed with improved validation. CVE-2020-10010: Tommy Muir (@Muirey03) Mail Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A remote attacker may be able to unexpectedly alter application state Description: This issue was addressed with improved checks. CVE-2020-9941: Fabian Ising of FH Münster University of Applied Sciences and Damian Poddebniak of FH Münster University of Applied Sciences Messages Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A local user may be able to discover a user’s deleted messages Description: The issue was addressed with improved deletion. CVE-2020-9988: William Breuer of the Netherlands CVE-2020-9989: von Brunn Media Model I/O Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2020-10011: Aleksandar Nikolic of Cisco Talos Entry added December 14, 2020 Model I/O Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution Description: An out-of-bounds read was addressed with improved input validation. CVE-2020-13524: Aleksandar Nikolic of Cisco Talos Model I/O Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution Description: A logic issue was addressed with improved state management. CVE-2020-10004: Aleksandar Nikolic of Cisco Talos NetworkExtension Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious application may be able to elevate privileges Description: A use after free issue was addressed with improved memory management. CVE-2020-9996: Zhiwei Yuan of Trend Micro iCore Team, Junzhi Lu and Mickey Jin of Trend Micro NSRemoteView Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A sandboxed process may be able to circumvent sandbox restrictions Description: A logic issue was addressed with improved restrictions. CVE-2020-27901: Thijs Alkemade of Computest Research Division Entry added December 14, 2020 NSRemoteView Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious application may be able to preview files it does not have access to Description: An issue existed in the handling of snapshots. The issue was resolved with improved permissions logic. CVE-2020-27900: Thijs Alkemade of Computest Research Division PCRE Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Multiple issues in pcre Description: Multiple issues were addressed by updating to version 8.44. CVE-2019-20838 CVE-2020-14155 Power Management Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious application may be able to determine kernel memory layout Description: A logic issue was addressed with improved state management. CVE-2020-10007: singi@theori working with Trend Micro Zero Day Initiative python Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Cookies belonging to one origin may be sent to another origin Description: Multiple issues were addressed with improved logic. CVE-2020-27896: an anonymous researcher Quick Look Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious app may be able to determine the existence of files on the computer Description: The issue was addressed with improved handling of icon caches. CVE-2020-9963: Csaba Fitzl (@theevilbit) of Offensive Security Quick Look Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted document may lead to a cross site scripting attack Description: An access issue was addressed with improved access restrictions. CVE-2020-10012: Heige of KnownSec 404 Team (https://www.knownsec.com/) and Bo Qu of Palo Alto Networks (https://www.paloaltonetworks.com/) Ruby Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A remote attacker may be able to modify the file system Description: A path handling issue was addressed with improved validation. CVE-2020-27896: an anonymous researcher Ruby Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: When parsing certain JSON documents, the json gem can be coerced into creating arbitrary objects in the target system Description: This issue was addressed with improved checks. CVE-2020-10663: Jeremy Evans Safari Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Visiting a malicious website may lead to address bar spoofing Description: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation. CVE-2020-9945: Narendra Bhati From Suma Soft Pvt. Ltd. Pune (India) @imnarendrabhati Safari Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious application may be able to determine a user's open tabs in Safari Description: A validation issue existed in the entitlement verification. This issue was addressed with improved validation of the process entitlement. CVE-2020-9977: Josh Parnham (@joshparnham) Safari Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Visiting a malicious website may lead to address bar spoofing Description: An inconsistent user interface issue was addressed with improved state management. CVE-2020-9942: an anonymous researcher, Rahul d Kankrale (servicenger.com), Rayyan Bijoora (@Bijoora) of The City School, PAF Chapter, Ruilin Yang of Tencent Security Xuanwu Lab, YoKo Kho (@YoKoAcc) of PT Telekomunikasi Indonesia (Persero) Tbk, Zhiyang Zeng(@Wester) of OPPO ZIWU Security Lab Sandbox Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A local user may be able to view senstive user information Description: An access issue was addressed with additional sandbox restrictions. CVE-2020-9969: Wojciech Reguła of SecuRing (wojciechregula.blog) SQLite Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A remote attacker may be able to cause a denial of service Description: This issue was addressed with improved checks. CVE-2020-9991 SQLite Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A remote attacker may be able to leak memory Description: An information disclosure issue was addressed with improved state management. CVE-2020-9849 SQLite Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Multiple issues in SQLite Description: Multiple issues were addressed by updating SQLite to version 3.32.3. CVE-2020-15358 SQLite Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A maliciously crafted SQL query may lead to data corruption Description: This issue was addressed with improved checks. CVE-2020-13631 SQLite Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A remote attacker may be able to cause a denial of service Description: This issue was addressed with improved checks. CVE-2020-13434 CVE-2020-13435 CVE-2020-9991 SQLite Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A remote attacker may be able to cause arbitrary code execution Description: A memory corruption issue was addressed with improved state management. CVE-2020-13630 Symptom Framework Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A local attacker may be able to elevate their privileges Description: A use after free issue was addressed with improved memory management. CVE-2020-27899: 08Tc3wBB working with ZecOps Entry added December 14, 2020 System Preferences Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A sandboxed process may be able to circumvent sandbox restrictions Description: A logic issue was addressed with improved state management. CVE-2020-10009: Thijs Alkemade of Computest Research Division TCC Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious application with root privileges may be able to access private information Description: A logic issue was addressed with improved restrictions. CVE-2020-10008: Wojciech Reguła of SecuRing (wojciechregula.blog) Entry added December 14, 2020 WebKit Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A use after free issue was addressed with improved memory management. CVE-2020-27918: Liu Long of Ant Security Light-Year Lab Entry updated December 14, 2020 Wi-Fi Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: An attacker may be able to bypass Managed Frame Protection Description: A denial of service issue was addressed with improved state handling. CVE-2020-27898: Stephan Marais of University of Johannesburg Xsan Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious application may be able to access restricted files Description: This issue was addressed with improved entitlements. CVE-2020-10006: Wojciech Reguła (@_r3ggi) of SecuRing Additional recognition 802.1X We would like to acknowledge Kenana Dalle of Hamad bin Khalifa University and Ryan Riley of Carnegie Mellon University in Qatar for their assistance. Entry added December 14, 2020 Audio We would like to acknowledge JunDong Xie and XingWei Lin of Ant- financial Light-Year Security Lab, an anonymous researcher for their assistance. Bluetooth We would like to acknowledge Andy Davis of NCC Group, Dennis Heinze (@ttdennis) of TU Darmstadt, Secure Mobile Networking Lab for their assistance. Entry updated December 14, 2020 Clang We would like to acknowledge Brandon Azad of Google Project Zero for their assistance. Core Location We would like to acknowledge Yiğit Can YILMAZ (@yilmazcanyigit) for their assistance. Crash Reporter We would like to acknowledge Artur Byszko of AFINE for their assistance. Entry added December 14, 2020 Directory Utility We would like to acknowledge Wojciech Reguła (@_r3ggi) of SecuRing for their assistance. iAP We would like to acknowledge Andy Davis of NCC Group for their assistance. Kernel We would like to acknowledge Brandon Azad of Google Project Zero, Stephen Röttger of Google for their assistance. libxml2 We would like to acknowledge an anonymous researcher for their assistance. Entry added December 14, 2020 Login Window We would like to acknowledge Rob Morton of Leidos for their assistance. Photos Storage We would like to acknowledge Paulos Yibelo of LimeHats for their assistance. Quick Look We would like to acknowledge Csaba Fitzl (@theevilbit) and Wojciech Reguła of SecuRing (wojciechregula.blog) for their assistance. Safari We would like to acknowledge Gabriel Corona and Narendra Bhati From Suma Soft Pvt. Ltd. Pune (India) @imnarendrabhati for their assistance. Security We would like to acknowledge Christian Starkjohann of Objective Development Software GmbH for their assistance. System Preferences We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive Security for their assistance. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbURczHs1TP07VIfuZcsbuWJ6jjAFAl/YDPwACgkQZcsbuWJ6 jjANmhAAoj+ZHNnH2pGDFl2/jrAtvWBtXg8mqw6NtNbGqWDZFhnY5q7Lp8WTx/Pi x64A4F8bU5xcybnmaDpK5PMwAAIiAg4g1BhpOq3pGyeHEasNx7D9damfqFGKiivS p8nl62XE74ayfxdZGa+2tOVFTFwqixfr0aALVoQUhAWNeYuvVSgJXlgdGjj+QSL+ 9vW86kbQypOqT5TPDg6tpJy3g5s4hotkfzCfxA9mIKOg5e/nnoRNhw0c1dzfeTRO INzGxnajKGGYy2C3MH6t0cKG0B6cH7aePZCHYJ1jmuAVd0SD3PfmoT76DeRGC4Ri c8fGD+5pvSF6/+5E+MbH3t3D6bLiCGRFJtYNMpr46gUKKt27EonSiheYCP9xR6lU ChpYdcgHMOHX4a07/Oo8vEwQrtJ4JryhI9tfBel1ewdSoxk2iCFKzLLYkDMihD6B 1x/9MlaqEpLYBnuKkrRzFINW23TzFPTI/+i2SbUscRQtK0qE7Up5C+IUkRvBGhEs MuEmEnn5spnVG2EBcKeLtJxtf/h5WaRFrev72EvSVR+Ko8Cj0MgK6IATu6saq8bV kURL5empvpexFAvVQWRDaLgGBHKM+uArBz2OP6t7wFvD2p1Vq5M+dMrEPna1JO/S AXZYC9Y9bBRZfYQAv7nxa+uIXy2rGTuQKQY8ldu4eEHtJ0OhaB8= =T5Y8 -----END PGP SIGNATURE----- . ========================================================================== Ubuntu Security Notice USN-4882-1 March 18, 2021 ruby2.3, ruby2.5, ruby2.7 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.10 - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Several security issues were fixed in Ruby. If a user or automated system were tricked into parsing a specially crafted JSON file, a remote attacker could use this issue to execute arbitrary code. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2020-10663) It was discovered that Ruby incorrectly handled certain socket memory operations. A remote attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-10933) It was discovered that Ruby incorrectly handled certain transfer-encoding headers when using Webrick. A remote attacker could possibly use this issue to bypass a reverse proxy. (CVE-2020-25613) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.10: libruby2.7 2.7.1-3ubuntu1.2 ruby2.7 2.7.1-3ubuntu1.2 Ubuntu 20.04 LTS: libruby2.7 2.7.0-5ubuntu1.3 ruby2.7 2.7.0-5ubuntu1.3 Ubuntu 18.04 LTS: libruby2.5 2.5.1-1ubuntu1.8 ruby2.5 2.5.1-1ubuntu1.8 Ubuntu 16.04 LTS: libruby2.3 2.3.1-2~ubuntu16.04.15 ruby2.3 2.3.1-2~ubuntu16.04.15 In general, a standard system update will make all the necessary changes. 8) - ppc64le, s390x, x86_64 3. Description: The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Bug Fix(es): * pcs status on remotes is not working on rhel8.2 any longer (BZ#1832914) * pcs cluster stop --all throws errors and doesn't seem to honor the request-timeout option (BZ#1838084) * [GUI] Colocation constraint can't be added (BZ#1840158) 4. Bugs fixed (https://bugzilla.redhat.com/): 1827500 - CVE-2020-10663 rubygem-json: Unsafe Object Creation Vulnerability in JSON 1832914 - pcs status on remotes is not working on rhel8.2 any longer [rhel-8.2.0.z] 1838084 - pcs cluster stop --all throws errors and doesn't seem to honor the request-timeout option [rhel-8.2.0.z] 1840158 - [GUI] Colocation constraint can't be added [rhel-8.2.0.z] 6. Bug Fix(es): * [GUI] Colocation constraint can't be added (BZ#1840156) 4

Trust: 1.8

sources: NVD: CVE-2020-10663 // VULHUB: VHN-163164 // PACKETSTORM: 163317 // PACKETSTORM: 163318 // PACKETSTORM: 162953 // PACKETSTORM: 160545 // PACKETSTORM: 161870 // PACKETSTORM: 158023 // PACKETSTORM: 158018 // PACKETSTORM: 166075 // PACKETSTORM: 166070

AFFECTED PRODUCTS

vendor:	opensuse	model:	leap	scope:	eq	version:	15.1	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	8.0	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	10.0	Trust: 1.0
vendor:	json	model:	json	scope:	lte	version:	2.2.0	Trust: 1.0
vendor:	fedoraproject	model:	fedora	scope:	eq	version:	30	Trust: 1.0
vendor:	fedoraproject	model:	fedora	scope:	eq	version:	31	Trust: 1.0
vendor:	apple	model:	macos	scope:	eq	version:	11.0.1	Trust: 1.0

sources: NVD: CVE-2020-10663

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-10663
value:	HIGH
Trust: 1.0
CNNVD:	CNNVD-202003-1294
value:	HIGH
Trust: 0.6
VULHUB:	VHN-163164
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-10663
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
VULHUB:	VHN-163164
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-10663
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0

sources: VULHUB: VHN-163164 // CNNVD: CNNVD-202003-1294 // NVD: CVE-2020-10663

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.1

sources: VULHUB: VHN-163164 // NVD: CVE-2020-10663

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 161870 // CNNVD: CNNVD-202003-1294

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-202003-1294

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-163164

PATCH

title:

Ruby JSON gem Security vulnerabilities

url:

http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=112755

Trust: 0.6

sources: CNNVD: CNNVD-202003-1294

EXTERNAL IDS

db:	NVD	id:	CVE-2020-10663	Trust: 2.6
db:	PACKETSTORM	id:	161870	Trust: 0.8
db:	PACKETSTORM	id:	163317	Trust: 0.8
db:	PACKETSTORM	id:	158023	Trust: 0.8
db:	PACKETSTORM	id:	160545	Trust: 0.8
db:	PACKETSTORM	id:	162953	Trust: 0.8
db:	PACKETSTORM	id:	158184	Trust: 0.7
db:	PACKETSTORM	id:	162764	Trust: 0.7
db:	CNNVD	id:	CNNVD-202003-1294	Trust: 0.7
db:	PACKETSTORM	id:	166075	Trust: 0.7
db:	AUSCERT	id:	ESB-2021.0965	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.1467	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.1012	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.2182	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.4060	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.1638	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.1580	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.2023	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.0744	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.1405	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.2335	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.1800	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.1931	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.2268	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.1331	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.4060.2	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.1110.3	Trust: 0.6
db:	CS-HELP	id:	SB2022022116	Trust: 0.6
db:	CS-HELP	id:	SB2021053010	Trust: 0.6
db:	CS-HELP	id:	SB2021060717	Trust: 0.6
db:	CS-HELP	id:	SB2021063008	Trust: 0.6
db:	PACKETSTORM	id:	163318	Trust: 0.2
db:	PACKETSTORM	id:	158018	Trust: 0.2
db:	CNVD	id:	CNVD-2020-32355	Trust: 0.1
db:	VULHUB	id:	VHN-163164	Trust: 0.1
db:	PACKETSTORM	id:	166070	Trust: 0.1

sources: VULHUB: VHN-163164 // PACKETSTORM: 163317 // PACKETSTORM: 163318 // PACKETSTORM: 162953 // PACKETSTORM: 160545 // PACKETSTORM: 161870 // PACKETSTORM: 158023 // PACKETSTORM: 158018 // PACKETSTORM: 166075 // PACKETSTORM: 166070 // CNNVD: CNNVD-202003-1294 // NVD: CVE-2020-10663

REFERENCES

url:	https://security.netapp.com/advisory/ntap-20210129-0003/	Trust: 1.7
url:	https://support.apple.com/kb/ht211931	Trust: 1.7
url:	https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/	Trust: 1.7
url:	https://www.debian.org/security/2020/dsa-4721	Trust: 1.7
url:	http://seclists.org/fulldisclosure/2020/dec/32	Trust: 1.7
url:	https://lists.debian.org/debian-lts-announce/2020/04/msg00030.html	Trust: 1.7
url:	http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00004.html	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10663	Trust: 1.5
url:	https://lists.apache.org/thread.html/r37c0e1807da7ff2bdd028bbe296465a6bbb99e2320dbe661d5d8b33b%40%3cissues.zookeeper.apache.org%3e	Trust: 1.0
url:	https://lists.apache.org/thread.html/r3b04f4e99a19613f88ae088aa18cd271231a3c79dfff8f5efa8cda61%40%3cissues.zookeeper.apache.org%3e	Trust: 1.0
url:	https://lists.apache.org/thread.html/r5f17bfca1d6e7f4b33ae978725b2fd62a9f1b3111696eafa9add802d%40%3cissues.zookeeper.apache.org%3e	Trust: 1.0
url:	https://lists.apache.org/thread.html/r8d2e174230f6d26e16c007546e804c343f1f68956f526daaafa4aaae%40%3cdev.zookeeper.apache.org%3e	Trust: 1.0
url:	https://lists.apache.org/thread.html/rb023d54a46da1ac0d8969097f5fecc79636b07d3b80db7b818a5c55c%40%3cissues.zookeeper.apache.org%3e	Trust: 1.0
url:	https://lists.apache.org/thread.html/rb2b981912446a74e14fe6076c4b7c7d8502727ea0718e6a65a9b1be5%40%3cissues.zookeeper.apache.org%3e	Trust: 1.0
url:	https://lists.apache.org/thread.html/rd9b9cc843f5cf5b532bdad9e87a817967efcf52b917e8c43b6df4cc7%40%3cissues.zookeeper.apache.org%3e	Trust: 1.0
url:	https://lists.apache.org/thread.html/rec8bb4d637b04575da41cfae49118e108e95d43bfac39b7b698ee4db%40%3cissues.zookeeper.apache.org%3e	Trust: 1.0
url:	https://lists.apache.org/thread.html/ree3abcd33c06ee95ab59faa1751198a1186d8941ddc2c2562c12966c%40%3cissues.zookeeper.apache.org%3e	Trust: 1.0
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7ql6mjd2bo4irj5cjfnmcdymqqft24bj/	Trust: 1.0
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/f4tnvtt66vprmx5uzysdgsvrxkkdddu5/	Trust: 1.0
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/nk2pbxwmfrud7u7q7lhv4kylyid77ri4/	Trust: 1.0
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ql6mjd2bo4irj5cjfnmcdymqqft24bj/	Trust: 0.7
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/f4tnvtt66vprmx5uzysdgsvrxkkdddu5/	Trust: 0.7
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/nk2pbxwmfrud7u7q7lhv4kylyid77ri4/	Trust: 0.7
url:	https://lists.apache.org/thread.html/r8d2e174230f6d26e16c007546e804c343f1f68956f526daaafa4aaae@%3cdev.zookeeper.apache.org%3e	Trust: 0.7
url:	https://lists.apache.org/thread.html/rd9b9cc843f5cf5b532bdad9e87a817967efcf52b917e8c43b6df4cc7@%3cissues.zookeeper.apache.org%3e	Trust: 0.7
url:	https://lists.apache.org/thread.html/ree3abcd33c06ee95ab59faa1751198a1186d8941ddc2c2562c12966c@%3cissues.zookeeper.apache.org%3e	Trust: 0.7
url:	https://lists.apache.org/thread.html/rb023d54a46da1ac0d8969097f5fecc79636b07d3b80db7b818a5c55c@%3cissues.zookeeper.apache.org%3e	Trust: 0.7
url:	https://lists.apache.org/thread.html/rb2b981912446a74e14fe6076c4b7c7d8502727ea0718e6a65a9b1be5@%3cissues.zookeeper.apache.org%3e	Trust: 0.7
url:	https://lists.apache.org/thread.html/r5f17bfca1d6e7f4b33ae978725b2fd62a9f1b3111696eafa9add802d@%3cissues.zookeeper.apache.org%3e	Trust: 0.7
url:	https://lists.apache.org/thread.html/rec8bb4d637b04575da41cfae49118e108e95d43bfac39b7b698ee4db@%3cissues.zookeeper.apache.org%3e	Trust: 0.7
url:	https://lists.apache.org/thread.html/r3b04f4e99a19613f88ae088aa18cd271231a3c79dfff8f5efa8cda61@%3cissues.zookeeper.apache.org%3e	Trust: 0.7
url:	https://lists.apache.org/thread.html/r37c0e1807da7ff2bdd028bbe296465a6bbb99e2320dbe661d5d8b33b@%3cissues.zookeeper.apache.org%3e	Trust: 0.7
url:	https://access.redhat.com/security/cve/cve-2020-10663	Trust: 0.7
url:	https://access.redhat.com/articles/11258	Trust: 0.7
url:	https://access.redhat.com/security/team/key/	Trust: 0.7
url:	https://access.redhat.com/security/team/contact/	Trust: 0.7
url:	https://bugzilla.redhat.com/):	Trust: 0.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10933	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2020-25613	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.1467/	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021060717	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.1405/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.2182/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.1580/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.2023/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.1800	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.4060/	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022022116	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.1110.3	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.2268	Trust: 0.6
url:	https://packetstormsecurity.com/files/162953/red-hat-security-advisory-2021-2230-01.html	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.4060.2/	Trust: 0.6
url:	https://packetstormsecurity.com/files/161870/ubuntu-security-notice-usn-4882-1.html	Trust: 0.6
url:	https://packetstormsecurity.com/files/162764/red-hat-security-advisory-2021-2104-01.tt.html	Trust: 0.6
url:	https://vigilance.fr/vulnerability/ruby-json-memory-corruption-32118	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.1931	Trust: 0.6
url:	https://support.apple.com/en-us/ht211931	Trust: 0.6
url:	https://packetstormsecurity.com/files/163317/red-hat-security-advisory-2021-2587-01.html	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.0965	Trust: 0.6
url:	https://packetstormsecurity.com/files/158184/red-hat-security-advisory-2020-2670-01.html	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021053010	Trust: 0.6
url:	https://packetstormsecurity.com/files/160545/apple-security-advisory-2020-12-14-4.html	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.2335/	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021063008	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.1638/	Trust: 0.6
url:	https://packetstormsecurity.com/files/158023/red-hat-security-advisory-2020-2462-01.html	Trust: 0.6
url:	https://packetstormsecurity.com/files/166075/red-hat-security-advisory-2022-0582-01.html	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.1331/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2022.0744	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.1012/	Trust: 0.6
url:	https://access.redhat.com/security/cve/cve-2020-10933	Trust: 0.5
url:	https://nvd.nist.gov/vuln/detail/cve-2019-15845	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2020-25613	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2019-16255	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2019-16201	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2019-16254	Trust: 0.5
url:	https://nvd.nist.gov/vuln/detail/cve-2019-16254	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2019-15845	Trust: 0.5
url:	https://nvd.nist.gov/vuln/detail/cve-2019-16201	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2021-28965	Trust: 0.5
url:	https://listman.redhat.com/mailman/listinfo/rhsa-announce	Trust: 0.5
url:	https://nvd.nist.gov/vuln/detail/cve-2021-28965	Trust: 0.5
url:	https://nvd.nist.gov/vuln/detail/cve-2019-16255	Trust: 0.5
url:	https://access.redhat.com/security/updates/classification/#moderate	Trust: 0.5
url:	https://nvd.nist.gov/vuln/detail/cve-2019-3881	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2019-3881	Trust: 0.2
url:	https://www.redhat.com/mailman/listinfo/rhsa-announce	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-36327	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2021-32066	Trust: 0.2
url:	https://access.redhat.com/security/updates/classification/#important	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-41817	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-31810	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2021-31810	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-32066	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2021-31799	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-31799	Trust: 0.2
url:	https://access.redhat.com/articles/6206172	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-36327	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2021-41819	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2021-41817	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-41819	Trust: 0.2
url:	https://access.redhat.com/errata/rhsa-2021:2587	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2021:2588	Trust: 0.1
url:	https://access.redhat.com/documentation/en-us/red_hat_software_collections/3/html/3.7_release_notes/	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2021:2230	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10014	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-13524	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-13434	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-13435	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-14155	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10016	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10011	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10015	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10017	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-27894	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-27896	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-13631	Trust: 0.1
url:	https://support.apple.com/ht211931.	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-14899	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10003	Trust: 0.1
url:	https://www.knownsec.com/)	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10009	Trust: 0.1
url:	https://www.apple.com/support/security/pgp/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-15358	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10004	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10008	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-20838	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-13630	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10002	Trust: 0.1
url:	https://www.paloaltonetworks.com/)	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10010	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10012	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10006	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10007	Trust: 0.1
url:	https://launchpad.net/ubuntu/+source/ruby2.5/2.5.1-1ubuntu1.8	Trust: 0.1
url:	https://ubuntu.com/security/notices/usn-4882-1	Trust: 0.1
url:	https://launchpad.net/ubuntu/+source/ruby2.7/2.7.0-5ubuntu1.3	Trust: 0.1
url:	https://launchpad.net/ubuntu/+source/ruby2.7/2.7.1-3ubuntu1.2	Trust: 0.1
url:	https://launchpad.net/ubuntu/+source/ruby2.3/2.3.1-2~ubuntu16.04.15	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2020:2462	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2020:2473	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:0582	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:0581	Trust: 0.1

CREDITS

Red Hat

Trust: 0.7

sources: PACKETSTORM: 163317 // PACKETSTORM: 163318 // PACKETSTORM: 162953 // PACKETSTORM: 158023 // PACKETSTORM: 158018 // PACKETSTORM: 166075 // PACKETSTORM: 166070

SOURCES

db:	VULHUB	id:	VHN-163164
db:	PACKETSTORM	id:	163317
db:	PACKETSTORM	id:	163318
db:	PACKETSTORM	id:	162953
db:	PACKETSTORM	id:	160545
db:	PACKETSTORM	id:	161870
db:	PACKETSTORM	id:	158023
db:	PACKETSTORM	id:	158018
db:	PACKETSTORM	id:	166075
db:	PACKETSTORM	id:	166070
db:	CNNVD	id:	CNNVD-202003-1294
db:	NVD	id:	CVE-2020-10663

LAST UPDATE DATE

2024-09-17T20:44:34.181000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-163164	date:	2022-04-18T00:00:00
db:	CNNVD	id:	CNNVD-202003-1294	date:	2022-02-22T00:00:00
db:	NVD	id:	CVE-2020-10663	date:	2023-11-07T03:14:11.453

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-163164	date:	2020-04-28T00:00:00
db:	PACKETSTORM	id:	163317	date:	2021-06-30T15:20:46
db:	PACKETSTORM	id:	163318	date:	2021-06-30T15:21:00
db:	PACKETSTORM	id:	162953	date:	2021-06-03T15:13:27
db:	PACKETSTORM	id:	160545	date:	2020-12-16T18:05:29
db:	PACKETSTORM	id:	161870	date:	2021-03-19T15:41:51
db:	PACKETSTORM	id:	158023	date:	2020-06-10T15:13:03
db:	PACKETSTORM	id:	158018	date:	2020-06-10T15:10:17
db:	PACKETSTORM	id:	166075	date:	2022-02-21T15:17:19
db:	PACKETSTORM	id:	166070	date:	2022-02-21T15:09:47
db:	CNNVD	id:	CNNVD-202003-1294	date:	2020-03-20T00:00:00
db:	NVD	id:	CVE-2020-10663	date:	2020-04-28T21:15:11.667