CVE-2020-10663

Public on 2020-08-10
Modified on 2021-05-24
Description
A flaw was found in rubygem-json. While parsing certain JSON documents, the json gem (including the one bundled with Ruby) can be coerced into creating arbitrary objects in the target system. This is the same issue as CVE-2013-0269.
Severity
Medium
CVSS v3 Base Score
7.3
See breakdown

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 2 ruby 2021-05-20 16:29 ALAS2-2021-1641
Amazon Linux 1 ruby20 2020-08-10 23:07 ALAS-2020-1416
Amazon Linux 1 rubygem-json 2020-08-26 23:09 ALAS-2020-1423
Amazon Linux 1 ruby24 2020-08-26 23:09 ALAS-2020-1422
Amazon Linux 1 ruby21 2020-08-26 23:10 ALAS-2020-1426
Amazon Linux 1 ruby19 2020-08-26 23:10 ALAS-2020-1426

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
NVD CVSSv2 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N
NVD CVSSv3 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N