CVE-2020-25739
Published: 23 September 2020
An issue was discovered in the gon gem before gon-6.4.0 for Ruby. MultiJson does not honor the escape_mode parameter to escape fields as an XSS protection mechanism. To mitigate, json_dumper.rb in gon now does escaping for XSS by default without relying on MultiJson.
From the Ubuntu Security Team
It was discovered that Gon gem did not properly escape certain input. An attacker could use this vulnerability to execute a cross-site scripting (XSS) attack.
Priority
Status
Package | Release | Status |
---|---|---|
ruby-gon Launchpad, Ubuntu, Debian |
hirsute |
Not vulnerable
(6.4.0-1)
|
bionic |
Released
(6.1.0-1+deb9u1build0.18.04.1)
|
|
focal |
Needed
|
|
groovy |
Ignored
(end of life)
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Needed
|
|
jammy |
Not vulnerable
(6.4.0-1)
|
|
impish |
Not vulnerable
(6.4.0-1)
|
|
kinetic |
Not vulnerable
(6.4.0-1)
|
|
lunar |
Not vulnerable
(6.4.0-1)
|
|
mantic |
Not vulnerable
(6.4.0-1)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 6.1 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Changed |
Confidentiality | Low |
Integrity impact | Low |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |