Miggo Logo

CVE-2013-0269: JSON gem has Improper Input Validation vulnerability

7.5

CVSS Score

Basic Information

EPSS Score
0.92683%
Published
10/24/2017
Updated
11/6/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
AV:N/AC:L/Au:N/C:P/I:P/A:P
Package NameEcosystemVulnerable VersionsFirst Patched Version
jsonrubygems< 1.5.51.5.5
jsonrubygems>= 1.6.0, < 1.6.81.6.8
jsonrubygems>= 1.7.0, < 1.7.71.7.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from JSON parsing logic allowing arbitrary object creation via the 'json_class' field. The root cause is the default 'create_additions: true' behavior in JSON.parse, which triggers class instantiation. The patches explicitly disable this by default (CVE-2013-0269 advisory workaround suggests setting create_additions: false). The ext/parser implementation handles the actual object creation when this flag is enabled, making these functions the attack surface.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** JSON **m ***or* *.*.*, *.*.x ***or* *.*.*, *n* *.*.x ***or* *.*.* *or Ru*y *llows r*mot* *tt**k*rs to **us* * **ni*l o* s*rvi** (r*sour** *onsumption) or *yp*ss t** m*ss *ssi*nm*nt prot**tion m****nism vi* * *r**t** JSON *o*um*nt t**t tri***rs t*

Reasoning

T** vuln*r**ility st*ms *rom JSON p*rsin* lo*i* *llowin* *r*itr*ry o*j**t *r**tion vi* t** 'json_*l*ss' *i*l*. T** root **us* is t** ****ult '*r**t*_***itions: tru*' ****vior in JSON.p*rs*, w*i** tri***rs *l*ss inst*nti*tion. T** p*t***s *xpli*itly *