CVE-2017-14064: Heap exposure vulnerability in generating JSON

Posted by usa on 14 Sep 2017

There is a heap exposure vulnerability in JSON bundled by Ruby. This vulnerability has been assigned the CVE identifier CVE-2017-14064.

Details

The generate method of JSON module optionally accepts an instance of JSON::Ext::Generator::State class. If a malicious instance is passed, the result may include contents of heap.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Affected Versions

Ruby 2.2 series: 2.2.7 and earlier
Ruby 2.3 series: 2.3.4 and earlier
Ruby 2.4 series: 2.4.1 and earlier
prior to trunk revision 58323

Workaround

The JSON library is also distributed as a gem. If you can’t upgrade Ruby itself, install JSON gem newer than version 2.0.4.

Credit

Thanks to ahmadsherif for reporting this issue.

History

Originally published at 2017-09-14 12:00:00 (UTC)

Ruby

A Programmer's Best Friend