The JSON gem is vulnerable to denial of service. An attacker is able to create arbitrary objects in the target system using malicious JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects. This can potentially result in a denial of service condition. This vulnerability exists due to an incomplete fix for CVE-2013-0269.
lists.opensuse.org/opensuse-security-announce/2020-05/msg00004.html
seclists.org/fulldisclosure/2020/Dec/32
github.com/flori/json/commit/bbc88248581fb3c7063edd9fae00af5f7d1f18d9
lists.apache.org/thread.html/r37c0e1807da7ff2bdd028bbe296465a6bbb99e2320dbe661d5d8b33b@%3Cissues.zookeeper.apache.org%3E
lists.apache.org/thread.html/r3b04f4e99a19613f88ae088aa18cd271231a3c79dfff8f5efa8cda61@%3Cissues.zookeeper.apache.org%3E
lists.apache.org/thread.html/r5f17bfca1d6e7f4b33ae978725b2fd62a9f1b3111696eafa9add802d@%3Cissues.zookeeper.apache.org%3E
lists.apache.org/thread.html/r8d2e174230f6d26e16c007546e804c343f1f68956f526daaafa4aaae@%3Cdev.zookeeper.apache.org%3E
lists.apache.org/thread.html/rb023d54a46da1ac0d8969097f5fecc79636b07d3b80db7b818a5c55c@%3Cissues.zookeeper.apache.org%3E
lists.apache.org/thread.html/rb2b981912446a74e14fe6076c4b7c7d8502727ea0718e6a65a9b1be5@%3Cissues.zookeeper.apache.org%3E
lists.apache.org/thread.html/rd9b9cc843f5cf5b532bdad9e87a817967efcf52b917e8c43b6df4cc7@%3Cissues.zookeeper.apache.org%3E
lists.apache.org/thread.html/rec8bb4d637b04575da41cfae49118e108e95d43bfac39b7b698ee4db@%3Cissues.zookeeper.apache.org%3E
lists.apache.org/thread.html/ree3abcd33c06ee95ab59faa1751198a1186d8941ddc2c2562c12966c@%3Cissues.zookeeper.apache.org%3E
lists.debian.org/debian-lts-announce/2020/04/msg00030.html
lists.fedoraproject.org/archives/list/[email protected]/message/7QL6MJD2BO4IRJ5CJFNMCDYMQQFT24BJ/
lists.fedoraproject.org/archives/list/[email protected]/message/F4TNVTT66VPRMX5UZYSDGSVRXKKDDDU5/
lists.fedoraproject.org/archives/list/[email protected]/message/NK2PBXWMFRUD7U7Q7LHV4KYLYID77RI4/
security.netapp.com/advisory/ntap-20210129-0003/
support.apple.com/kb/HT211931
www.debian.org/security/2020/dsa-4721
www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/