There is a heap exposure vulnerability in JSON bundled by Ruby. This vulnerability has been assgined the CVE identifier CVE-2017-14064.
Details
The generate method of JSON module optionally accepts an instance of JSON::Ext::Generator::State class. If a malcious instance is passed, the result may include contents of heap.
All users running an affected release should either upgrade or use one of the workarounds immediately.
Affected Versions
• Ruby 2.2 series: 2.2.7 and earlier
• Ruby 2.3 series: 2.3.4 and earlier
• Ruby 2.4 series: 2.4.1 and earlier
• prior to trunk revision 58323
Workaround
The JSON library is also distributed as a gem. If you can’t upgrade Ruby itself, install JSON gem newer than version 2.0.4.
Credit
Thanks to ahmadsherif for reporting this issue.
History
• Originally published at 2017-09-14 12:00:00 (UTC)
Posted by usa on 14 Sep 2017
via Ruby News
http://ift.tt/2y0Rbvn
Email me Ruby CVE announcements