CVE - CVE-2017-14064

CVE-ID
CVE-2017-14064	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call. The issues lies in using strdup in ext/json/ext/generator/generator.c, which will stop after encountering a '\0' byte, returning a pointer to a string of length zero, which is not the length stored in space_len.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MLIST:[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update URL:https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html MISC:https://bugs.ruby-lang.org/issues/13853 MISC:https://github.com/flori/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85 MISC:https://hackerone.com/reports/209949 CONFIRM:https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-released/ CONFIRM:https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-3-5-released/ DEBIAN:DSA-3966 URL:https://www.debian.org/security/2017/dsa-3966 GENTOO:GLSA-201710-18 URL:https://security.gentoo.org/glsa/201710-18 REDHAT:RHSA-2017:3485 URL:https://access.redhat.com/errata/RHSA-2017:3485 REDHAT:RHSA-2018:0378 URL:https://access.redhat.com/errata/RHSA-2018:0378 REDHAT:RHSA-2018:0583 URL:https://access.redhat.com/errata/RHSA-2018:0583 REDHAT:RHSA-2018:0585 URL:https://access.redhat.com/errata/RHSA-2018:0585 UBUNTU:USN-3685-1 URL:https://usn.ubuntu.com/3685-1/ BID:100890 URL:http://www.securityfocus.com/bid/100890 SECTRACK:1039363 URL:http://www.securitytracker.com/id/1039363 SECTRACK:1042004 URL:http://www.securitytracker.com/id/1042004
Assigning CNA
MITRE Corporation
Date Entry Created
20170831	Disclaimer: The entry creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20170831)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an entry on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: cve@mitre.org