Ubuntu update for ruby2.3
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2020-10663 CVE-2020-10933 CVE-2020-25613 |
| CWE-ID | CWE-20 CWE-200 CWE-444 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #3 is available. |
| Vulnerable software Subscribe |
Ubuntu Operating systems & Components / Operating system ruby2.7 (Ubuntu package) Operating systems & Components / Operating system package or component libruby2.7 (Ubuntu package) Operating systems & Components / Operating system package or component ruby2.5 (Ubuntu package) Operating systems & Components / Operating system package or component libruby2.5 (Ubuntu package) Operating systems & Components / Operating system package or component ruby2.3 (Ubuntu package) Operating systems & Components / Operating system package or component libruby2.3 (Ubuntu package) Operating systems & Components / Operating system package or component |
| Vendor | Canonical Ltd. |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU32971
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-10663
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.
MitigationUpdate the affected package ruby2.3 to the latest version.
Vulnerable software versionsUbuntu: 16.04 - 20.10
ruby2.7 (Ubuntu package): before 2.7.1-3ubuntu1.2
libruby2.7 (Ubuntu package): before 2.7.1-3ubuntu1.2
ruby2.5 (Ubuntu package): before 2.5.1-1ubuntu1.8
libruby2.5 (Ubuntu package): before 2.5.1-1ubuntu1.8
ruby2.3 (Ubuntu package): before 2.3.1-2~ubuntu16.04.15
libruby2.3 (Ubuntu package): before 2.3.1-2~ubuntu16.04.15
External linkshttp://ubuntu.com/security/notices/USN-4882-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU31886
Risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-10933
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to BasicSocket#read_nonblock method outputs previous value of the heap instead of copying the requested data. A remote attacker can gain access to sensitive information on the system.
MitigationUpdate the affected package ruby2.3 to the latest version.
Vulnerable software versionsUbuntu: 16.04 - 20.10
ruby2.7 (Ubuntu package): before 2.7.1-3ubuntu1.2
libruby2.7 (Ubuntu package): before 2.7.1-3ubuntu1.2
ruby2.5 (Ubuntu package): before 2.5.1-1ubuntu1.8
libruby2.5 (Ubuntu package): before 2.5.1-1ubuntu1.8
ruby2.3 (Ubuntu package): before 2.3.1-2~ubuntu16.04.15
libruby2.3 (Ubuntu package): before 2.3.1-2~ubuntu16.04.15
External linkshttp://ubuntu.com/security/notices/USN-4882-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Inconsistent interpretation of HTTP requests
EUVDB-ID: #VU47333
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2020-25613
CWE-ID:
CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to preform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
MitigationUpdate the affected package ruby2.3 to the latest version.
Vulnerable software versionsUbuntu: 16.04 - 20.10
ruby2.7 (Ubuntu package): before 2.7.1-3ubuntu1.2
libruby2.7 (Ubuntu package): before 2.7.1-3ubuntu1.2
ruby2.5 (Ubuntu package): before 2.5.1-1ubuntu1.8
libruby2.5 (Ubuntu package): before 2.5.1-1ubuntu1.8
ruby2.3 (Ubuntu package): before 2.3.1-2~ubuntu16.04.15
libruby2.3 (Ubuntu package): before 2.3.1-2~ubuntu16.04.15
External linkshttp://ubuntu.com/security/notices/USN-4882-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
