CVE-2020-10663

Public on 2020-04-28

Modified on 2023-06-09

Description

A flaw was found in rubygem-json. While parsing certain JSON documents, the json gem (including the one bundled with Ruby) can be coerced into creating arbitrary objects in the target system. This is the same issue as CVE-2013-0269.

Severity

Important

See what this means

CVSS v3 Base Score

7.5

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory
Amazon Linux 2 - Core	ruby	2021-05-20 16:29	ALAS2-2021-1641
Amazon Linux 2 - Ruby2.6 Extra	ruby	2023-08-21 20:59	ALAS2RUBY2.6-2023-007
Amazon Linux 1	ruby19	2020-08-26 23:10	ALAS-2020-1426
Amazon Linux 1	ruby20	2020-08-10 23:07	ALAS-2020-1416
Amazon Linux 1	ruby21	2020-08-26 23:10	ALAS-2020-1426
Amazon Linux 1	ruby24	2020-08-26 23:09	ALAS-2020-1422
Amazon Linux 1	rubygem-json	2020-08-26 23:09	ALAS-2020-1423

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
NVD	CVSSv2	5.0	AV:N/AC:L/Au:N/C:N/I:P/A:N
NVD	CVSSv3	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

Red Hat: CVE-2020-10663 Mitre: CVE-2020-10663 FAQs regarding Amazon Linux ALAS/CVE Severity