CVE-2013-0269: JSON gem has Improper Input Validation vulnerability
7.5
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.92683%
CWE
Published
10/24/2017
Updated
11/6/2023
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
AV:N/AC:L/Au:N/C:P/I:P/A:P
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
json | rubygems | < 1.5.5 | 1.5.5 |
json | rubygems | >= 1.6.0, < 1.6.8 | 1.6.8 |
json | rubygems | >= 1.7.0, < 1.7.7 | 1.7.7 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from JSON parsing logic allowing arbitrary object creation via the 'json_class' field. The root cause is the default 'create_additions: true' behavior in JSON.parse, which triggers class instantiation. The patches explicitly disable this by default (CVE-2013-0269 advisory workaround suggests setting create_additions: false). The ext/parser implementation handles the actual object creation when this flag is enabled, making these functions the attack surface.