A buffer overflow vulnerability was found in the JSON extension of ruby. An attacker with the ability to pass a specially crafted JSON input to the extension could use this flaw to expose the interpreter's heap memory.
Find out more about CVE-2017-14064 from the MITRE CVE dictionary dictionary and NIST NVD.
This issue did not affect the versions of ruby as shipped with Red Hat Enterprise Linux 5, and 6. These versions do not include the JSON module.
This issue affects the versions of ruby as shipped with Red Hat Enterprise Linux 7, as well as the versions of rh-ruby22-ruby and rh-ruby23-ruby as shipped with Red Hat Software Collections. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
CVSS3 Base Score | 5.9 |
---|---|
CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
Attack Vector | Network |
Attack Complexity | High |
Privileges Required | None |
User Interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity Impact | None |
Availability Impact | None |
Platform | Errata | Release Date |
---|---|---|
Red Hat Software Collections for Red Hat Enterprise Linux 6 (rh-ruby23-ruby) | RHSA-2018:0585 | 2018-03-26 |
Red Hat Software Collections for Red Hat Enterprise Linux 6 (rh-ruby22-ruby) | RHSA-2018:0583 | 2018-03-26 |
Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-ruby22-ruby) | RHSA-2018:0583 | 2018-03-26 |
Red Hat Software Collections for Red Hat Enterprise Linux 6 (rh-ruby24-ruby) | RHSA-2017:3485 | 2017-12-19 |
Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-ruby24-ruby) | RHSA-2017:3485 | 2017-12-19 |
Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-ruby23-ruby) | RHSA-2018:0585 | 2018-03-26 |
Red Hat Enterprise Linux 7 (ruby) | RHSA-2018:0378 | 2018-02-28 |
Platform | Package | State |
---|---|---|
Red Hat Subscription Asset Manager 1 | ruby193-ruby | Will not fix |
Red Hat Enterprise Linux 6 | ruby | Not affected |
Red Hat Enterprise Linux 5 | ruby | Not affected |