CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
88.7%
Issue Overview:
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent. (CVE-2020-10663)
Affected Packages:
ruby19, ruby21
Issue Correction:
Run yum update ruby19 to update your system.
Run yum update ruby21 to update your system.
New Packages:
i686:
ruby21-libs-2.1.9-1.23.amzn1.i686
rubygem21-io-console-0.4.3-1.23.amzn1.i686
ruby21-2.1.9-1.23.amzn1.i686
rubygem21-bigdecimal-1.2.4-1.23.amzn1.i686
ruby21-devel-2.1.9-1.23.amzn1.i686
ruby21-debuginfo-2.1.9-1.23.amzn1.i686
rubygem21-psych-2.0.5-1.23.amzn1.i686
ruby19-debuginfo-1.9.3.551-33.71.amzn1.i686
ruby19-1.9.3.551-33.71.amzn1.i686
rubygem19-bigdecimal-1.1.0-33.71.amzn1.i686
ruby19-doc-1.9.3.551-33.71.amzn1.i686
ruby19-libs-1.9.3.551-33.71.amzn1.i686
rubygem19-json-1.5.5-33.71.amzn1.i686
ruby19-devel-1.9.3.551-33.71.amzn1.i686
rubygem19-io-console-0.3-33.71.amzn1.i686
noarch:
rubygems21-2.2.5-1.23.amzn1.noarch
ruby21-irb-2.1.9-1.23.amzn1.noarch
ruby21-doc-2.1.9-1.23.amzn1.noarch
rubygems21-devel-2.2.5-1.23.amzn1.noarch
rubygem19-rake-0.9.2.2-33.71.amzn1.noarch
rubygem19-minitest-2.5.1-33.71.amzn1.noarch
rubygems19-1.8.23.2-33.71.amzn1.noarch
ruby19-irb-1.9.3.551-33.71.amzn1.noarch
rubygems19-devel-1.8.23.2-33.71.amzn1.noarch
rubygem19-rdoc-3.9.5-33.71.amzn1.noarch
src:
ruby21-2.1.9-1.23.amzn1.src
ruby19-1.9.3.551-33.71.amzn1.src
x86_64:
ruby21-devel-2.1.9-1.23.amzn1.x86_64
ruby21-2.1.9-1.23.amzn1.x86_64
ruby21-debuginfo-2.1.9-1.23.amzn1.x86_64
rubygem21-io-console-0.4.3-1.23.amzn1.x86_64
rubygem21-psych-2.0.5-1.23.amzn1.x86_64
rubygem21-bigdecimal-1.2.4-1.23.amzn1.x86_64
ruby21-libs-2.1.9-1.23.amzn1.x86_64
rubygem19-bigdecimal-1.1.0-33.71.amzn1.x86_64
rubygem19-io-console-0.3-33.71.amzn1.x86_64
ruby19-debuginfo-1.9.3.551-33.71.amzn1.x86_64
ruby19-1.9.3.551-33.71.amzn1.x86_64
ruby19-libs-1.9.3.551-33.71.amzn1.x86_64
ruby19-doc-1.9.3.551-33.71.amzn1.x86_64
ruby19-devel-1.9.3.551-33.71.amzn1.x86_64
rubygem19-json-1.5.5-33.71.amzn1.x86_64
Red Hat: CVE-2020-10663
Mitre: CVE-2020-10663
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Amazon Linux | 1 | i686 | ruby21-libs | < 2.1.9-1.23.amzn1 | ruby21-libs-2.1.9-1.23.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | rubygem21-io-console | < 0.4.3-1.23.amzn1 | rubygem21-io-console-0.4.3-1.23.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | ruby21 | < 2.1.9-1.23.amzn1 | ruby21-2.1.9-1.23.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | rubygem21-bigdecimal | < 1.2.4-1.23.amzn1 | rubygem21-bigdecimal-1.2.4-1.23.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | ruby21-devel | < 2.1.9-1.23.amzn1 | ruby21-devel-2.1.9-1.23.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | ruby21-debuginfo | < 2.1.9-1.23.amzn1 | ruby21-debuginfo-2.1.9-1.23.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | rubygem21-psych | < 2.0.5-1.23.amzn1 | rubygem21-psych-2.0.5-1.23.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | ruby19-debuginfo | < 1.9.3.551-33.71.amzn1 | ruby19-debuginfo-1.9.3.551-33.71.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | ruby19 | < 1.9.3.551-33.71.amzn1 | ruby19-1.9.3.551-33.71.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | rubygem19-bigdecimal | < 1.1.0-33.71.amzn1 | rubygem19-bigdecimal-1.1.0-33.71.amzn1.i686.rpm |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
88.7%