CVE-2020-25739

NameCVE-2020-25739
DescriptionAn issue was discovered in the gon gem before gon-6.4.0 for Ruby. MultiJson does not honor the escape_mode parameter to escape fields as an XSS protection mechanism. To mitigate, json_dumper.rb in gon now does escaping for XSS by default without relying on MultiJson.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2380-1
Debian Bugs970938

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby-gon (PTS)buster6.2.1-1vulnerable
bullseye6.4.0-1fixed
sid, trixie, bookworm6.4.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby-gonsourcestretch6.1.0-1+deb9u1DLA-2380-1
ruby-gonsource(unstable)6.4.0-1970938

Notes

[buster] - ruby-gon <no-dsa> (Minor issue)
https://github.com/gazay/gon/commit/fe3c7b2191a992386dc9edd37de5447a4e809bc7
Search for package or bug name: Reporting problems