Details of VAR-202004-0061

ID

VAR-202004-0061

CVE

CVE-2020-10663

TITLE

JSON gem Input verification vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-005087

DESCRIPTION

The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent. An attacker could exploit this vulnerability to forcibly create arbitrary objects on the target system. When parsing certain JSON documents, the json gem can be coerced into creating arbitrary objects in the target system. CVE-2020-10933 Samuel Williams reported a flaw in the socket library which may lead to exposure of possibly sensitive data from the interpreter. For the stable distribution (buster), these problems have been fixed in version 2.5.5-3+deb10u2. We recommend that you upgrade your ruby2.5 packages. For the detailed security status of ruby2.5 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ruby2.5 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl8F5jVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RT1Q/9EmtF3l9EwsTqV0RaU0CvycnypEEHk0vahqwtDKe5m1j13RlbhU5PfeNm n8E4pzw30+zROL8vxrCBQbAkBLACJOD9GwnA1G5mUnga1m49+5TyHEfPTFDsZHZ7 XqWuIJiQpOaPAi9xlywyqxji8OHPND2NNtCF1xk3Mpfk/7Y5JNJjFPnQnprfB4Hf c8AMjgmjV4ElJ60ALpXQzP7snVs4S+LA+Qb2O7V05u8zW0ytiEGTJNKrdG/+Rkrm XKUrEwPJLOU9DlR1JDXD491tOSYGiQdS/vWNQsyGKArpdDbhAUOybWZinD6ZG0KR L7atC327+eNDhpIKcmS4jMRnoQwjmlgPK6m0YwF4mKmyL4lWKwqCddDnIfr7jRSq bW3esnLJatEJiUbcSLpuBn0qO5f6HYb1iRhXJDQlPsuySIjObkn+rim9Bvo0NOQZ SZx74Rv1KX/kYpU4KcZyoygRuuWzl3pPYRj5BYJOViDGIcSKay4w7oypLjSWg7b3 BQfKQ7MbIVIXLk27fS/mOKpG0uXM5cer7LGnZSovl+KQmgp4gBdtCpuzat7Jz3YI tJDwDSjfhUQu8Uew+6bnvDUJ+zFEp/fEly2ueZFSYkkPmWPMcaI3OIk/Q2dLt5ZX gC+Vad6gT/C2UBYZCxxcBTHOcAlImTQ/JPCQMOGrvZM6t7QouuA= =rTdk -----END PGP SIGNATURE----- . 8) - aarch64, noarch, ppc64le, s390x, x86_64 3. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: rh-ruby26-ruby security, bug fix, and enhancement update Advisory ID: RHSA-2021:2230-01 Product: Red Hat Software Collections Advisory URL: https://access.redhat.com/errata/RHSA-2021:2230 Issue date: 2021-06-03 CVE Names: CVE-2019-3881 CVE-2019-15845 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255 CVE-2020-10663 CVE-2020-10933 CVE-2020-25613 CVE-2021-28965 ==================================================================== 1. Summary: An update for rh-ruby26-ruby is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64le, s390x, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7) - noarch, ppc64le, s390x, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 3. Description: Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. The following packages have been upgraded to a later upstream version: rh-ruby26-ruby (2.6.7). (BZ#1701182) Security Fix(es): * rubygem-bundler: Insecure permissions on directory in /tmp/ allows for execution of malicious code (CVE-2019-3881) * ruby: NUL injection vulnerability of File.fnmatch and File.fnmatch? (CVE-2019-15845) * ruby: Regular expression denial of service vulnerability of WEBrick's Digest authentication (CVE-2019-16201) * ruby: Code injection via command argument of Shell#test / Shell#[] (CVE-2019-16255) * rubygem-json: Unsafe object creation vulnerability in JSON (CVE-2020-10663) * ruby: BasicSocket#read_nonblock method leads to information disclosure (CVE-2020-10933) * ruby: Potential HTTP request smuggling in WEBrick (CVE-2020-25613) * ruby: XML round-trip vulnerability in REXML (CVE-2021-28965) * ruby: HTTP response splitting in WEBrick (CVE-2019-16254) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * rh-ruby26-ruby: Resolv::DNS: timeouts if multiple IPv6 name servers are given and address contains leading zero [rhscl-3] (BZ#1950331) Additional Changes: For detailed information on changes in this release, see the Red Hat Software Collections 3.7 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1651826 - CVE-2019-3881 rubygem-bundler: Insecure permissions on directory in /tmp/ allows for execution of malicious code 1773728 - CVE-2019-16201 ruby: Regular expression denial of service vulnerability of WEBrick's Digest authentication 1789407 - CVE-2019-15845 ruby: NUL injection vulnerability of File.fnmatch and File.fnmatch? 1789556 - CVE-2019-16254 ruby: HTTP response splitting in WEBrick 1793683 - CVE-2019-16255 ruby: Code injection via command argument of Shell#test / Shell#[] 1827500 - CVE-2020-10663 rubygem-json: Unsafe object creation vulnerability in JSON 1833291 - CVE-2020-10933 ruby: BasicSocket#read_nonblock method leads to information disclosure 1883623 - CVE-2020-25613 ruby: Potential HTTP request smuggling in WEBrick 1947526 - CVE-2021-28965 ruby: XML round-trip vulnerability in REXML 1950331 - rh-ruby26-ruby: Resolv::DNS: timeouts if multiple IPv6 name servers are given and address contains leading zero [rhscl-3] 6. Package List: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: rh-ruby26-ruby-2.6.7-119.el7.src.rpm noarch: rh-ruby26-ruby-doc-2.6.7-119.el7.noarch.rpm rh-ruby26-rubygem-bundler-1.17.2-119.el7.noarch.rpm rh-ruby26-rubygem-did_you_mean-1.3.0-119.el7.noarch.rpm rh-ruby26-rubygem-irb-1.0.0-119.el7.noarch.rpm rh-ruby26-rubygem-minitest-5.11.3-119.el7.noarch.rpm rh-ruby26-rubygem-net-telnet-0.2.0-119.el7.noarch.rpm rh-ruby26-rubygem-power_assert-1.1.3-119.el7.noarch.rpm rh-ruby26-rubygem-rake-12.3.3-119.el7.noarch.rpm rh-ruby26-rubygem-rdoc-6.1.2-119.el7.noarch.rpm rh-ruby26-rubygem-test-unit-3.2.9-119.el7.noarch.rpm rh-ruby26-rubygem-xmlrpc-0.3.0-119.el7.noarch.rpm rh-ruby26-rubygems-3.0.3.1-119.el7.noarch.rpm rh-ruby26-rubygems-devel-3.0.3.1-119.el7.noarch.rpm ppc64le: rh-ruby26-ruby-2.6.7-119.el7.ppc64le.rpm rh-ruby26-ruby-debuginfo-2.6.7-119.el7.ppc64le.rpm rh-ruby26-ruby-devel-2.6.7-119.el7.ppc64le.rpm rh-ruby26-ruby-libs-2.6.7-119.el7.ppc64le.rpm rh-ruby26-rubygem-bigdecimal-1.4.1-119.el7.ppc64le.rpm rh-ruby26-rubygem-io-console-0.4.7-119.el7.ppc64le.rpm rh-ruby26-rubygem-json-2.1.0-119.el7.ppc64le.rpm rh-ruby26-rubygem-openssl-2.1.2-119.el7.ppc64le.rpm rh-ruby26-rubygem-psych-3.1.0-119.el7.ppc64le.rpm s390x: rh-ruby26-ruby-2.6.7-119.el7.s390x.rpm rh-ruby26-ruby-debuginfo-2.6.7-119.el7.s390x.rpm rh-ruby26-ruby-devel-2.6.7-119.el7.s390x.rpm rh-ruby26-ruby-libs-2.6.7-119.el7.s390x.rpm rh-ruby26-rubygem-bigdecimal-1.4.1-119.el7.s390x.rpm rh-ruby26-rubygem-io-console-0.4.7-119.el7.s390x.rpm rh-ruby26-rubygem-json-2.1.0-119.el7.s390x.rpm rh-ruby26-rubygem-openssl-2.1.2-119.el7.s390x.rpm rh-ruby26-rubygem-psych-3.1.0-119.el7.s390x.rpm x86_64: rh-ruby26-ruby-2.6.7-119.el7.x86_64.rpm rh-ruby26-ruby-debuginfo-2.6.7-119.el7.x86_64.rpm rh-ruby26-ruby-devel-2.6.7-119.el7.x86_64.rpm rh-ruby26-ruby-libs-2.6.7-119.el7.x86_64.rpm rh-ruby26-rubygem-bigdecimal-1.4.1-119.el7.x86_64.rpm rh-ruby26-rubygem-io-console-0.4.7-119.el7.x86_64.rpm rh-ruby26-rubygem-json-2.1.0-119.el7.x86_64.rpm rh-ruby26-rubygem-openssl-2.1.2-119.el7.x86_64.rpm rh-ruby26-rubygem-psych-3.1.0-119.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7): Source: rh-ruby26-ruby-2.6.7-119.el7.src.rpm noarch: rh-ruby26-ruby-doc-2.6.7-119.el7.noarch.rpm rh-ruby26-rubygem-bundler-1.17.2-119.el7.noarch.rpm rh-ruby26-rubygem-did_you_mean-1.3.0-119.el7.noarch.rpm rh-ruby26-rubygem-irb-1.0.0-119.el7.noarch.rpm rh-ruby26-rubygem-minitest-5.11.3-119.el7.noarch.rpm rh-ruby26-rubygem-net-telnet-0.2.0-119.el7.noarch.rpm rh-ruby26-rubygem-power_assert-1.1.3-119.el7.noarch.rpm rh-ruby26-rubygem-rake-12.3.3-119.el7.noarch.rpm rh-ruby26-rubygem-rdoc-6.1.2-119.el7.noarch.rpm rh-ruby26-rubygem-test-unit-3.2.9-119.el7.noarch.rpm rh-ruby26-rubygem-xmlrpc-0.3.0-119.el7.noarch.rpm rh-ruby26-rubygems-3.0.3.1-119.el7.noarch.rpm rh-ruby26-rubygems-devel-3.0.3.1-119.el7.noarch.rpm ppc64le: rh-ruby26-ruby-2.6.7-119.el7.ppc64le.rpm rh-ruby26-ruby-debuginfo-2.6.7-119.el7.ppc64le.rpm rh-ruby26-ruby-devel-2.6.7-119.el7.ppc64le.rpm rh-ruby26-ruby-libs-2.6.7-119.el7.ppc64le.rpm rh-ruby26-rubygem-bigdecimal-1.4.1-119.el7.ppc64le.rpm rh-ruby26-rubygem-io-console-0.4.7-119.el7.ppc64le.rpm rh-ruby26-rubygem-json-2.1.0-119.el7.ppc64le.rpm rh-ruby26-rubygem-openssl-2.1.2-119.el7.ppc64le.rpm rh-ruby26-rubygem-psych-3.1.0-119.el7.ppc64le.rpm s390x: rh-ruby26-ruby-2.6.7-119.el7.s390x.rpm rh-ruby26-ruby-debuginfo-2.6.7-119.el7.s390x.rpm rh-ruby26-ruby-devel-2.6.7-119.el7.s390x.rpm rh-ruby26-ruby-libs-2.6.7-119.el7.s390x.rpm rh-ruby26-rubygem-bigdecimal-1.4.1-119.el7.s390x.rpm rh-ruby26-rubygem-io-console-0.4.7-119.el7.s390x.rpm rh-ruby26-rubygem-json-2.1.0-119.el7.s390x.rpm rh-ruby26-rubygem-openssl-2.1.2-119.el7.s390x.rpm rh-ruby26-rubygem-psych-3.1.0-119.el7.s390x.rpm x86_64: rh-ruby26-ruby-2.6.7-119.el7.x86_64.rpm rh-ruby26-ruby-debuginfo-2.6.7-119.el7.x86_64.rpm rh-ruby26-ruby-devel-2.6.7-119.el7.x86_64.rpm rh-ruby26-ruby-libs-2.6.7-119.el7.x86_64.rpm rh-ruby26-rubygem-bigdecimal-1.4.1-119.el7.x86_64.rpm rh-ruby26-rubygem-io-console-0.4.7-119.el7.x86_64.rpm rh-ruby26-rubygem-json-2.1.0-119.el7.x86_64.rpm rh-ruby26-rubygem-openssl-2.1.2-119.el7.x86_64.rpm rh-ruby26-rubygem-psych-3.1.0-119.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7): Source: rh-ruby26-ruby-2.6.7-119.el7.src.rpm noarch: rh-ruby26-ruby-doc-2.6.7-119.el7.noarch.rpm rh-ruby26-rubygem-bundler-1.17.2-119.el7.noarch.rpm rh-ruby26-rubygem-did_you_mean-1.3.0-119.el7.noarch.rpm rh-ruby26-rubygem-irb-1.0.0-119.el7.noarch.rpm rh-ruby26-rubygem-minitest-5.11.3-119.el7.noarch.rpm rh-ruby26-rubygem-net-telnet-0.2.0-119.el7.noarch.rpm rh-ruby26-rubygem-power_assert-1.1.3-119.el7.noarch.rpm rh-ruby26-rubygem-rake-12.3.3-119.el7.noarch.rpm rh-ruby26-rubygem-rdoc-6.1.2-119.el7.noarch.rpm rh-ruby26-rubygem-test-unit-3.2.9-119.el7.noarch.rpm rh-ruby26-rubygem-xmlrpc-0.3.0-119.el7.noarch.rpm rh-ruby26-rubygems-3.0.3.1-119.el7.noarch.rpm rh-ruby26-rubygems-devel-3.0.3.1-119.el7.noarch.rpm x86_64: rh-ruby26-ruby-2.6.7-119.el7.x86_64.rpm rh-ruby26-ruby-debuginfo-2.6.7-119.el7.x86_64.rpm rh-ruby26-ruby-devel-2.6.7-119.el7.x86_64.rpm rh-ruby26-ruby-libs-2.6.7-119.el7.x86_64.rpm rh-ruby26-rubygem-bigdecimal-1.4.1-119.el7.x86_64.rpm rh-ruby26-rubygem-io-console-0.4.7-119.el7.x86_64.rpm rh-ruby26-rubygem-json-2.1.0-119.el7.x86_64.rpm rh-ruby26-rubygem-openssl-2.1.2-119.el7.x86_64.rpm rh-ruby26-rubygem-psych-3.1.0-119.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-3881 https://access.redhat.com/security/cve/CVE-2019-15845 https://access.redhat.com/security/cve/CVE-2019-16201 https://access.redhat.com/security/cve/CVE-2019-16254 https://access.redhat.com/security/cve/CVE-2019-16255 https://access.redhat.com/security/cve/CVE-2020-10663 https://access.redhat.com/security/cve/CVE-2020-10933 https://access.redhat.com/security/cve/CVE-2020-25613 https://access.redhat.com/security/cve/CVE-2021-28965 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_software_collections/3/html/3.7_release_notes/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYLi8ltzjgjWX9erEAQi7IA/8C86NMaSfOxaQEY15WzNUFZtcT0OfDkBo KMT5uuXXcwj+rpJGF6kqAAW9chI/HVNshKYXXpOeByffFW+5KLlRB1G6mw9LiOIc SZHX1BhK6dxObWtnPQcqE0JDhb16+sb0GQY3+70szm0iMtFjRiwzNTGHy/T6S+nr poCvsrg/5/mPvKtV32x80T6a5sJxFsW5siYfv1DJeoH7LGnBLkAU4vRCJ3IBdQaX yeEAhx6QjKQG6xfB2YD2SsNliALYId1ytKQcs0IgCsk9IuVOX+Vl1cKU/GFrGp8a UVbTap6gb10YrclTz5ssDlE4NXXPFOx4nX8wI4QxeNam2Sy3tD0uhfgGaN5OdXiz CJZnwE/qIaxzzNMf0TdXaAtYZ7InEr6xjBlc5ncInvI0aQaiDWLKL6odgrLkfboa a+0leBVx3FeREY//WMw5LT1mRzqsnYaK3qT9C6tfxF/NTBFmZmVmJmbC6PiTZWfK T5KjjZJpmbIo1JvjIaWzWCZT8dDhoxSvNWk0CefLlI3/SsUyCURfjmJc7zpbNmzJ l0jIG9kjHVriRjhoWUWBzY7z7QkGx+tU0KYKB1Kx+J1BDXMdLaeJ7ubJIJRBQ4F/ A+75BfTYoxEHjF171or+rIGkOGadwCerTggyNuFi8aQSk4KWmROCFUoiYbEtYxp4 UD6NGAugxlg=k+Dm -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . 8.1) - ppc64le, s390x, x86_64 3. Description: The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Bug Fix(es): * [GUI] Colocation constraint can't be added (BZ#1840157) 4

Trust: 2.43

sources: NVD: CVE-2020-10663 // JVNDB: JVNDB-2020-005087 // VULHUB: VHN-163164 // PACKETSTORM: 168868 // PACKETSTORM: 163317 // PACKETSTORM: 163318 // PACKETSTORM: 162953 // PACKETSTORM: 158184 // PACKETSTORM: 158018 // PACKETSTORM: 166075 // PACKETSTORM: 166070

AFFECTED PRODUCTS

vendor:	debian	model:	linux	scope:	eq	version:	8.0	Trust: 1.0
vendor:	fedoraproject	model:	fedora	scope:	eq	version:	30	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	10.0	Trust: 1.0
vendor:	apple	model:	macos	scope:	eq	version:	11.0.1	Trust: 1.0
vendor:	opensuse	model:	leap	scope:	eq	version:	15.1	Trust: 1.0
vendor:	fedoraproject	model:	fedora	scope:	eq	version:	31	Trust: 1.0
vendor:	json	model:	json	scope:	lte	version:	2.2.0	Trust: 1.0
vendor:	debian	model:	gnu/linux	scope:	-	version:	-	Trust: 0.8
vendor:	fedora	model:	fedora	scope:	-	version:	-	Trust: 0.8
vendor:	json	model:	json	scope:	eq	version:	2.2.0	Trust: 0.8
vendor:	opensuse	model:	leap	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2020-005087 // NVD: CVE-2020-10663

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-10663
value:	HIGH
Trust: 1.0
NVD:	JVNDB-2020-005087
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202003-1294
value:	HIGH
Trust: 0.6
VULHUB:	VHN-163164
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-10663
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2020-005087
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-163164
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-10663
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	JVNDB-2020-005087
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-163164 // JVNDB: JVNDB-2020-005087 // CNNVD: CNNVD-202003-1294 // NVD: CVE-2020-10663

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.9

sources: VULHUB: VHN-163164 // JVNDB: JVNDB-2020-005087 // NVD: CVE-2020-10663

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202003-1294

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-202003-1294

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-005087

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-163164

PATCH

title:	[SECURITY] [DLA 2192-1] ruby2.1 security update	url:	https://lists.debian.org/debian-lts-announce/2020/04/msg00030.html	Trust: 0.8
title:	FEDORA-2020-26df92331a	url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7QL6MJD2BO4IRJ5CJFNMCDYMQQFT24BJ/	Trust: 0.8
title:	FEDORA-2020-a95706b117	url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F4TNVTT66VPRMX5UZYSDGSVRXKKDDDU5/	Trust: 0.8
title:	FEDORA-2020-d171bf636d	url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NK2PBXWMFRUD7U7Q7LHV4KYLYID77RI4/	Trust: 0.8
title:	openSUSE-SU-2020:0586-1	url:	https://lists.opensuse.org/opensuse-security-announce/2020-05/msg00004.html	Trust: 0.8
title:	CVE-2020-10663: Unsafe Object Creation Vulnerability in JSON (Additional fix)	url:	https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/	Trust: 0.8
title:	Ruby JSON gem Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=112755	Trust: 0.6

sources: JVNDB: JVNDB-2020-005087 // CNNVD: CNNVD-202003-1294

EXTERNAL IDS

db:	NVD	id:	CVE-2020-10663	Trust: 3.3
db:	PACKETSTORM	id:	163317	Trust: 0.8
db:	PACKETSTORM	id:	158184	Trust: 0.8
db:	PACKETSTORM	id:	162953	Trust: 0.8
db:	JVNDB	id:	JVNDB-2020-005087	Trust: 0.8
db:	PACKETSTORM	id:	161870	Trust: 0.7
db:	PACKETSTORM	id:	158023	Trust: 0.7
db:	PACKETSTORM	id:	160545	Trust: 0.7
db:	PACKETSTORM	id:	162764	Trust: 0.7
db:	CNNVD	id:	CNNVD-202003-1294	Trust: 0.7
db:	PACKETSTORM	id:	166075	Trust: 0.7
db:	AUSCERT	id:	ESB-2021.0965	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.1467	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.1012	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.2182	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.4060	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.1638	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.1580	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.2023	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.0744	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.1405	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.2335	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.1800	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.1931	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.2268	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.1331	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.4060.2	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.1110.3	Trust: 0.6
db:	CS-HELP	id:	SB2022022116	Trust: 0.6
db:	CS-HELP	id:	SB2021053010	Trust: 0.6
db:	CS-HELP	id:	SB2021060717	Trust: 0.6
db:	CS-HELP	id:	SB2021063008	Trust: 0.6
db:	PACKETSTORM	id:	163318	Trust: 0.2
db:	PACKETSTORM	id:	158018	Trust: 0.2
db:	CNVD	id:	CNVD-2020-32355	Trust: 0.1
db:	VULHUB	id:	VHN-163164	Trust: 0.1
db:	PACKETSTORM	id:	168868	Trust: 0.1
db:	PACKETSTORM	id:	166070	Trust: 0.1

sources: VULHUB: VHN-163164 // JVNDB: JVNDB-2020-005087 // PACKETSTORM: 168868 // PACKETSTORM: 163317 // PACKETSTORM: 163318 // PACKETSTORM: 162953 // PACKETSTORM: 158184 // PACKETSTORM: 158018 // PACKETSTORM: 166075 // PACKETSTORM: 166070 // CNNVD: CNNVD-202003-1294 // NVD: CVE-2020-10663

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2020-10663	Trust: 2.2
url:	https://security.netapp.com/advisory/ntap-20210129-0003/	Trust: 1.7
url:	https://support.apple.com/kb/ht211931	Trust: 1.7
url:	https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/	Trust: 1.7
url:	https://www.debian.org/security/2020/dsa-4721	Trust: 1.7
url:	http://seclists.org/fulldisclosure/2020/dec/32	Trust: 1.7
url:	https://lists.debian.org/debian-lts-announce/2020/04/msg00030.html	Trust: 1.7
url:	http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00004.html	Trust: 1.7
url:	https://lists.apache.org/thread.html/rb023d54a46da1ac0d8969097f5fecc79636b07d3b80db7b818a5c55c%40%3cissues.zookeeper.apache.org%3e	Trust: 1.0
url:	https://lists.apache.org/thread.html/rd9b9cc843f5cf5b532bdad9e87a817967efcf52b917e8c43b6df4cc7%40%3cissues.zookeeper.apache.org%3e	Trust: 1.0
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/nk2pbxwmfrud7u7q7lhv4kylyid77ri4/	Trust: 1.0
url:	https://lists.apache.org/thread.html/rec8bb4d637b04575da41cfae49118e108e95d43bfac39b7b698ee4db%40%3cissues.zookeeper.apache.org%3e	Trust: 1.0
url:	https://lists.apache.org/thread.html/rb2b981912446a74e14fe6076c4b7c7d8502727ea0718e6a65a9b1be5%40%3cissues.zookeeper.apache.org%3e	Trust: 1.0
url:	https://lists.apache.org/thread.html/r37c0e1807da7ff2bdd028bbe296465a6bbb99e2320dbe661d5d8b33b%40%3cissues.zookeeper.apache.org%3e	Trust: 1.0
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/f4tnvtt66vprmx5uzysdgsvrxkkdddu5/	Trust: 1.0
url:	https://lists.apache.org/thread.html/r3b04f4e99a19613f88ae088aa18cd271231a3c79dfff8f5efa8cda61%40%3cissues.zookeeper.apache.org%3e	Trust: 1.0
url:	https://lists.apache.org/thread.html/r5f17bfca1d6e7f4b33ae978725b2fd62a9f1b3111696eafa9add802d%40%3cissues.zookeeper.apache.org%3e	Trust: 1.0
url:	https://lists.apache.org/thread.html/r8d2e174230f6d26e16c007546e804c343f1f68956f526daaafa4aaae%40%3cdev.zookeeper.apache.org%3e	Trust: 1.0
url:	https://lists.apache.org/thread.html/ree3abcd33c06ee95ab59faa1751198a1186d8941ddc2c2562c12966c%40%3cissues.zookeeper.apache.org%3e	Trust: 1.0
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7ql6mjd2bo4irj5cjfnmcdymqqft24bj/	Trust: 1.0
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-10663	Trust: 0.8
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ql6mjd2bo4irj5cjfnmcdymqqft24bj/	Trust: 0.7
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/f4tnvtt66vprmx5uzysdgsvrxkkdddu5/	Trust: 0.7
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/nk2pbxwmfrud7u7q7lhv4kylyid77ri4/	Trust: 0.7
url:	https://lists.apache.org/thread.html/r8d2e174230f6d26e16c007546e804c343f1f68956f526daaafa4aaae@%3cdev.zookeeper.apache.org%3e	Trust: 0.7
url:	https://lists.apache.org/thread.html/rd9b9cc843f5cf5b532bdad9e87a817967efcf52b917e8c43b6df4cc7@%3cissues.zookeeper.apache.org%3e	Trust: 0.7
url:	https://lists.apache.org/thread.html/ree3abcd33c06ee95ab59faa1751198a1186d8941ddc2c2562c12966c@%3cissues.zookeeper.apache.org%3e	Trust: 0.7
url:	https://lists.apache.org/thread.html/rb023d54a46da1ac0d8969097f5fecc79636b07d3b80db7b818a5c55c@%3cissues.zookeeper.apache.org%3e	Trust: 0.7
url:	https://lists.apache.org/thread.html/rb2b981912446a74e14fe6076c4b7c7d8502727ea0718e6a65a9b1be5@%3cissues.zookeeper.apache.org%3e	Trust: 0.7
url:	https://lists.apache.org/thread.html/r5f17bfca1d6e7f4b33ae978725b2fd62a9f1b3111696eafa9add802d@%3cissues.zookeeper.apache.org%3e	Trust: 0.7
url:	https://lists.apache.org/thread.html/rec8bb4d637b04575da41cfae49118e108e95d43bfac39b7b698ee4db@%3cissues.zookeeper.apache.org%3e	Trust: 0.7
url:	https://lists.apache.org/thread.html/r3b04f4e99a19613f88ae088aa18cd271231a3c79dfff8f5efa8cda61@%3cissues.zookeeper.apache.org%3e	Trust: 0.7
url:	https://lists.apache.org/thread.html/r37c0e1807da7ff2bdd028bbe296465a6bbb99e2320dbe661d5d8b33b@%3cissues.zookeeper.apache.org%3e	Trust: 0.7
url:	https://access.redhat.com/security/cve/cve-2020-10663	Trust: 0.7
url:	https://access.redhat.com/articles/11258	Trust: 0.7
url:	https://access.redhat.com/security/team/key/	Trust: 0.7
url:	https://access.redhat.com/security/team/contact/	Trust: 0.7
url:	https://bugzilla.redhat.com/):	Trust: 0.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10933	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.1467/	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021060717	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.1405/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.2182/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.1580/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.2023/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.1800	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.4060/	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022022116	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.1110.3	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.2268	Trust: 0.6
url:	https://packetstormsecurity.com/files/162953/red-hat-security-advisory-2021-2230-01.html	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.4060.2/	Trust: 0.6
url:	https://packetstormsecurity.com/files/161870/ubuntu-security-notice-usn-4882-1.html	Trust: 0.6
url:	https://packetstormsecurity.com/files/162764/red-hat-security-advisory-2021-2104-01.tt.html	Trust: 0.6
url:	https://vigilance.fr/vulnerability/ruby-json-memory-corruption-32118	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.1931	Trust: 0.6
url:	https://support.apple.com/en-us/ht211931	Trust: 0.6
url:	https://packetstormsecurity.com/files/163317/red-hat-security-advisory-2021-2587-01.html	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.0965	Trust: 0.6
url:	https://packetstormsecurity.com/files/158184/red-hat-security-advisory-2020-2670-01.html	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021053010	Trust: 0.6
url:	https://packetstormsecurity.com/files/160545/apple-security-advisory-2020-12-14-4.html	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.2335/	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021063008	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.1638/	Trust: 0.6
url:	https://packetstormsecurity.com/files/158023/red-hat-security-advisory-2020-2462-01.html	Trust: 0.6
url:	https://packetstormsecurity.com/files/166075/red-hat-security-advisory-2022-0582-01.html	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.1331/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2022.0744	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.1012/	Trust: 0.6
url:	https://access.redhat.com/security/cve/cve-2020-10933	Trust: 0.5
url:	https://nvd.nist.gov/vuln/detail/cve-2019-15845	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2020-25613	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2019-16255	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2019-16201	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2019-16254	Trust: 0.5
url:	https://nvd.nist.gov/vuln/detail/cve-2019-16254	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2019-15845	Trust: 0.5
url:	https://nvd.nist.gov/vuln/detail/cve-2019-16201	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2021-28965	Trust: 0.5
url:	https://listman.redhat.com/mailman/listinfo/rhsa-announce	Trust: 0.5
url:	https://nvd.nist.gov/vuln/detail/cve-2021-28965	Trust: 0.5
url:	https://nvd.nist.gov/vuln/detail/cve-2019-16255	Trust: 0.5
url:	https://access.redhat.com/security/updates/classification/#moderate	Trust: 0.5
url:	https://nvd.nist.gov/vuln/detail/cve-2020-25613	Trust: 0.5
url:	https://nvd.nist.gov/vuln/detail/cve-2019-3881	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2019-3881	Trust: 0.2
url:	https://www.redhat.com/mailman/listinfo/rhsa-announce	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-36327	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2021-32066	Trust: 0.2
url:	https://access.redhat.com/security/updates/classification/#important	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-41817	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-31810	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2021-31810	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-32066	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2021-31799	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-31799	Trust: 0.2
url:	https://access.redhat.com/articles/6206172	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-36327	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2021-41819	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2021-41817	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-41819	Trust: 0.2
url:	https://security-tracker.debian.org/tracker/ruby2.5	Trust: 0.1
url:	https://www.debian.org/security/faq	Trust: 0.1
url:	https://www.debian.org/security/	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2021:2587	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2021:2588	Trust: 0.1
url:	https://access.redhat.com/documentation/en-us/red_hat_software_collections/3/html/3.7_release_notes/	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2021:2230	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2020:2670	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2020:2473	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:0582	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:0581	Trust: 0.1

CREDITS

Red Hat

Trust: 0.7

sources: PACKETSTORM: 163317 // PACKETSTORM: 163318 // PACKETSTORM: 162953 // PACKETSTORM: 158184 // PACKETSTORM: 158018 // PACKETSTORM: 166075 // PACKETSTORM: 166070

SOURCES

db:	VULHUB	id:	VHN-163164
db:	JVNDB	id:	JVNDB-2020-005087
db:	PACKETSTORM	id:	168868
db:	PACKETSTORM	id:	163317
db:	PACKETSTORM	id:	163318
db:	PACKETSTORM	id:	162953
db:	PACKETSTORM	id:	158184
db:	PACKETSTORM	id:	158018
db:	PACKETSTORM	id:	166075
db:	PACKETSTORM	id:	166070
db:	CNNVD	id:	CNNVD-202003-1294
db:	NVD	id:	CVE-2020-10663

LAST UPDATE DATE

2024-12-21T21:06:17.758000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-163164	date:	2022-04-18T00:00:00
db:	JVNDB	id:	JVNDB-2020-005087	date:	2020-06-05T00:00:00
db:	CNNVD	id:	CNNVD-202003-1294	date:	2022-02-22T00:00:00
db:	NVD	id:	CVE-2020-10663	date:	2024-11-21T04:55:47.670

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-163164	date:	2020-04-28T00:00:00
db:	JVNDB	id:	JVNDB-2020-005087	date:	2020-06-05T00:00:00
db:	PACKETSTORM	id:	168868	date:	2020-07-28T19:12:00
db:	PACKETSTORM	id:	163317	date:	2021-06-30T15:20:46
db:	PACKETSTORM	id:	163318	date:	2021-06-30T15:21:00
db:	PACKETSTORM	id:	162953	date:	2021-06-03T15:13:27
db:	PACKETSTORM	id:	158184	date:	2020-06-23T15:00:55
db:	PACKETSTORM	id:	158018	date:	2020-06-10T15:10:17
db:	PACKETSTORM	id:	166075	date:	2022-02-21T15:17:19
db:	PACKETSTORM	id:	166070	date:	2022-02-21T15:09:47
db:	CNNVD	id:	CNNVD-202003-1294	date:	2020-03-20T00:00:00
db:	NVD	id:	CVE-2020-10663	date:	2020-04-28T21:15:11.667