PublicDateAtUSN: 2020-09-23 14:15:00 UTC
Candidate: CVE-2020-25739
PublicDate: 2020-09-23 14:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25739
 https://github.com/gazay/gon/commit/fe3c7b2191a992386dc9edd37de5447a4e809bc7
 https://ubuntu.com/security/notices/USN-4560-1
Description:
 An issue was discovered in the gon gem before gon-6.4.0 for Ruby. MultiJson
 does not honor the escape_mode parameter to escape fields as an XSS
 protection mechanism. To mitigate, json_dumper.rb in gon now does escaping
 for XSS by default without relying on MultiJson.
Ubuntu-Description:
 It was discovered that Gon gem did not properly escape certain input. An attacker
 could use this vulnerability to execute a cross-site scripting (XSS) attack.
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N [6.1 MEDIUM]


Patches_ruby-gon:
upstream_ruby-gon: needs-triage
precise/esm_ruby-gon: DNE
trusty_ruby-gon: ignored (out of standard support)
trusty/esm_ruby-gon: DNE
xenial_ruby-gon: ignored (end of standard support, was needed)
bionic_ruby-gon: released (6.1.0-1+deb9u1build0.18.04.1)
focal_ruby-gon: needed
groovy_ruby-gon: ignored (reached end-of-life)
hirsute_ruby-gon: not-affected (6.4.0-1)
impish_ruby-gon: not-affected (6.4.0-1)
jammy_ruby-gon: not-affected (6.4.0-1)
devel_ruby-gon: not-affected (6.4.0-1)