Posted by usa on 14 Sep 2017
There is a heap exposure vulnerability in JSON bundled by Ruby. This vulnerability has been assigned the CVE identifier CVE-2017-14064.
Details
The generate method of JSON module optionally accepts an instance of JSON::Ext::Generator::State class.
If a malicious instance is passed, the result may include contents of heap.
All users running an affected release should either upgrade or use one of the workarounds immediately.
Affected Versions
- Ruby 2.2 series: 2.2.7 and earlier
- Ruby 2.3 series: 2.3.4 and earlier
- Ruby 2.4 series: 2.4.1 and earlier
- prior to trunk revision 58323
Workaround
The JSON library is also distributed as a gem. If you can’t upgrade Ruby itself, install JSON gem newer than version 2.0.4.
Credit
Thanks to ahmadsherif for reporting this issue.
History
- Originally published at 2017-09-14 12:00:00 (UTC)