-
-
Notifications
You must be signed in to change notification settings - Fork 231
Expand file tree
/
Copy pathCVE-2026-33210.yml
More file actions
35 lines (29 loc) · 937 Bytes
/
CVE-2026-33210.yml
File metadata and controls
35 lines (29 loc) · 937 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
---
gem: json
cve: 2026-33210
ghsa: 3m6g-2423-7cp3
url: https://github.com/ruby/json/security/advisories/GHSA-3m6g-2423-7cp3
title: Ruby JSON has a format string injection vulnerability
date: 2026-03-19
description: |
### Impact
A format string injection vulnerability than that lead to denial of
service attacks or information disclosure, when the `allow_duplicate_key:
false` parsing option is used to parse user supplied documents.
This option isn't the default, if you didn't opt-in to use it,
you are not impacted.
### Patches
Patched in `2.19.2`.
### Workarounds
The issue can be avoided by not using the `allow_duplicate_key: false`
parsing option.
unaffected_versions:
- "< 2.14.0"
patched_versions:
- "~> 2.15.2.1"
- "~> 2.17.1.2"
- ">= 2.19.2"
related:
url:
- https://github.com/ruby/json/security/advisories/GHSA-3m6g-2423-7cp3
- https://github.com/advisories/GHSA-3m6g-2423-7cp3