CVE-2020-25739

NameCVE-2020-25739
DescriptionAn issue was discovered in the gon gem before gon-6.4.0 for Ruby. MultiJson does not honor the escape_mode parameter to escape fields as an XSS protection mechanism. To mitigate, json_dumper.rb in gon now does escaping for XSS by default without relying on MultiJson.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2380-1
NVD severitymedium
Debian Bugs970938

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby-gon (PTS)stretch6.1.0-1vulnerable
stretch (security)6.1.0-1+deb9u1fixed
buster6.2.1-1vulnerable
sid6.3.2-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby-gonsourcestretch6.1.0-1+deb9u1DLA-2380-1
ruby-gonsource(unstable)(unfixed)970938

Notes

[buster] - ruby-gon <no-dsa> (Minor issue)
https://github.com/gazay/gon/commit/fe3c7b2191a992386dc9edd37de5447a4e809bc7

Search for package or bug name: Reporting problems