Denial of Service (DoS) Affecting json package, versions >=1.7, <1.7.7 >=1.6, <1.6.8 <1.5.5
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUBY-JSON-20060
- published 10 Feb 2013
- disclosed 10 Feb 2013
- credit Thomas Hollstegge, Ben Murphy
Introduced: 10 Feb 2013
CVE-2013-0269 Open this link in a new tabOverview
The json
gem is a JSON implementation as a Ruby extension in C.
Affected versions of this Gem are vulnerable to Denial of Service (DoS) attacks and unsafe object creation vulnerabilities. When parsing certain JSON documents, the JSON gem tricked into creating Ruby symbols in a target system.
Details
When parsing certain JSON documents, the JSON gem can be coerced in to creating Ruby symbols in a target system. Since Ruby symbols are not garbage collected, this can result in a denial of service attack.
The same technique can be used to create objects in a target system that act like internal objects. These "act alike" objects can be used to bypass certain security mechanisms and can be used as a spring board for SQL injection attacks in Ruby on Rails.
Impacted code looks like this:
JSON.parse(user_input)
Where the user_input
variable will have a JSON document like this:
{"json_class":"foo"}
The JSON gem will attempt to look up the constant "foo". Looking up this constant will create a symbol.
In JSON version 1.7.x, objects with arbitrary attributes can be created using JSON documents like this:
{"json_class":"JSON::GenericObject","foo":"bar"}
This document will result in an instance of JSON::GenericObject
, with the attribute "foo" that has the value "bar". Instantiating these objects will result in arbitrary symbol creation and in some cases can be used to bypass security measures.
PLEASE NOTE: this behavior does not change when using JSON.load
. JSON.load
should never be given input from unknown sources. If you are processing JSON from an unknown source, always use JSON.parse
.