CVE-2020-25739
Published: 23 September 2020
An issue was discovered in the gon gem before gon-6.4.0 for Ruby. MultiJson does not honor the escape_mode parameter to escape fields as an XSS protection mechanism. To mitigate, json_dumper.rb in gon now does escaping for XSS by default without relying on MultiJson.
From the Ubuntu Security Team
It was discovered that Gon gem did not properly escape certain input. An attacker could use this vulnerability to execute a cross-site scripting (XSS) attack.
Priority
Status
Package | Release | Status |
---|---|---|
ruby-gon Launchpad, Ubuntu, Debian |
bionic |
Released
(6.1.0-1+deb9u1build0.18.04.1)
|
focal |
Needed
|
|
groovy |
Ignored
(end of life)
|
|
hirsute |
Not vulnerable
(6.4.0-1)
|
|
impish |
Not vulnerable
(6.4.0-1)
|
|
jammy |
Not vulnerable
(6.4.0-1)
|
|
kinetic |
Not vulnerable
(6.4.0-1)
|
|
lunar |
Not vulnerable
(6.4.0-1)
|
|
mantic |
Not vulnerable
(6.4.0-1)
|
|
noble |
Not vulnerable
(6.4.0-1)
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Needed
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 6.1 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Changed |
Confidentiality | Low |
Integrity impact | Low |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |