The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| json(RubyGems) | 0 | 1.5.5 | N/A |
| json(RubyGems) | 1.6.0 | 1.6.8 | N/A |
| json(RubyGems) | 1.7.0 | 1.7.7 | N/A |
CVSS Metrics
