Denial of Service and Unsafe Object Creation Vulnerability in JSON (CVE-2013-0269)

Denial of Service and Unsafe Object Creation Vulnerability in JSON (CVE-2013-0269)

There is a denial of service and unsafe object creation vulnerability in the json bundled with ruby. This vulnerability has been assigned the CVE identifier CVE-2013-0269. We strongly recommend to upgrade ruby. Details When parsing certain JSON documents, the JSON gem (includes bundled with ruby) can be coerced in to creating Ruby symbols in a target system. Since Ruby symbols are not garbage collected, this can result in a denial of service attack. The same technique can be used to create objects in a target system that act like internal objects. These "act alike" objects can be used to bypass certain security mechanisms and can be used as a spring board for SQL injection attacks in Ruby on Rails. Impacted code looks like this: JSON.parse(user_input) Where the `user_input` variable will have a JSON document like this: {"json_class":"foo"} The JSON gem will attempt to look...

Full article: http://www.ruby-lang.org/en/news/2013/02/22/json-dos-cve-...