FreeBSD : rubygem-json -- Unsafe Objection Creation Vulnerability in JSON (Additional fix) (40194e1c-6d89-11ea-8082-80ee73419af3)

high Nessus Plugin ID 134921

Language:

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

When parsing certain JSON documents, the json gem (including the one bundled with Ruby) can be coerced into creating arbitrary objects in the target system.

This is the same issue as CVE-2013-0269. The previous fix was incomplete, which addressed JSON.parse(user_input), but didn't address some other styles of JSON parsing including JSON(user_input) and JSON.parse(user_input, nil).

See CVE-2013-0269 in detail. Note that the issue was exploitable to cause a Denial of Service by creating many garbage-uncollectable Symbol objects, but this kind of attack is no longer valid because Symbol objects are now garbage-collectable. However, creating arbitrary bjects may cause severe security consequences depending upon the application code.

Please update the json gem to version 2.3.0 or later. You can use gem update json to update it. If you are using bundler, please add gem 'json', '>= 2.3.0' to your Gemfile.

Solution

Update the affected package.

See Also

https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/

http://www.nessus.org/u?5e54143b

Plugin Details

Severity: High

ID: 134921

File Name: freebsd_pkg_40194e1c6d8911ea808280ee73419af3.nasl

Version: 1.5

Type: local

Published: 3/26/2020

Updated: 3/20/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2020-10663

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:freebsd:freebsd, p-cpe:/a:freebsd:freebsd:rubygem-json

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Ease: No known exploits are available

Patch Publication Date: 3/26/2020

Vulnerability Publication Date: 3/19/2020

Reference Information

CVE: CVE-2020-10663