GHSA-78vq-9j56-wrfr
Suggest an improvement- Source
- https://github.com/advisories/GHSA-78vq-9j56-wrfr
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-78vq-9j56-wrfr/GHSA-78vq-9j56-wrfr.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-78vq-9j56-wrfr
- Aliases
- Published
- 2021-04-30T17:29:15Z
- Modified
- 2024-02-19T05:28:55.784562Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Gon gem lack of escaping certain input when outputting as JSON
- Details
-
An issue was discovered in the gon gem before gon-6.4.0 for Ruby. MultiJson does not honor the escapemode parameter to escape fields as an XSS protection mechanism. To mitigate, jsondumper.rb in gon now does escaping for XSS by default without relying on MultiJson.
- Database specific
{ "nvd_published_at": "2020-09-23T14:15:00Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2021-04-28T15:05:22Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2020-25739
- https://github.com/gazay/gon/commit/fe3c7b2191a992386dc9edd37de5447a4e809bc7
- https://github.com/gazay/gon
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/gon/CVE-2020-25739.yml
- https://lists.debian.org/debian-lts-announce/2020/09/msg00018.html
- https://usn.ubuntu.com/4560-1
Affected packages
RubyGems / gon
Package
- Name
- gon
- Purl
- pkg:gem/gon
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.4.0
Affected versions
0.*
0.1.0
0.1.1
0.2.0
0.2.1
0.2.2
0.3.0
1.*
1.0.0
1.1.0
1.1.1
1.1.2
1.1.3
2.*
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.1.0
2.1.2
2.2.0
2.2.2
2.3.0
3.*
3.0.0
3.0.2
3.0.3
3.0.4
3.0.5
4.*
4.0.0
4.0.1
4.0.2
4.0.3
4.1.0
4.1.1
5.*
5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.1.0
5.1.1
5.1.2
5.2.0
5.2.1
5.2.2
5.2.3
6.*
6.0.0
6.0.1
6.1.0
6.2.0
6.2.1
6.3.1
6.3.2