{"id":"CVE-2017-14064","details":"Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call. The issues lies in using strdup in ext/json/ext/generator/generator.c, which will stop after encountering a '\\0' byte, returning a pointer to a string of length zero, which is not the length stored in space_len.","modified":"2026-03-20T11:19:39.174309Z","published":"2017-08-31T17:29:00.183Z","related":["MGASA-2017-0371","SUSE-SU-2020:1570-1"],"references":[{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/100890"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1039363"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:3485"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:0378"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1042004"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:0585"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3685-1/"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:0583"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201710-18"},{"type":"ADVISORY","url":"https://www.debian.org/security/2017/dsa-3966"},{"type":"ADVISORY","url":"https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-released/"},{"type":"ADVISORY","url":"https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-3-5-released/"},{"type":"FIX","url":"https://bugs.ruby-lang.org/issues/13853"},{"type":"FIX","url":"https://github.com/flori/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85"},{"type":"EVIDENCE","url":"https://hackerone.com/reports/209949"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ruby/json","events":[{"introduced":"0"},{"fixed":"8f782fd8e181d9cfe9387ded43a5ca9692266b85"}]},{"type":"GIT","repo":"https://github.com/ruby/ruby","events":[{"introduced":"0"},{"last_affected":"530165c2948c3eed741db5659f7b937270caa46a"},{"introduced":"0"},{"last_affected":"d40ea2afa6ff5a6e5befcf342fb7b6dc58796b20"},{"introduced":"0"},{"last_affected":"9993701c7d3d83e24699177fef3238d8bf7bbbab"},{"introduced":"0"},{"last_affected":"e3434401aca2e331132652d4458366267e8cf378"},{"introduced":"0"},{"last_affected":"5827d8e887d881eb3a6e6ea7410590261c90545f"},{"introduced":"0"},{"last_affected":"9d222264d5e6a2dcac5aceafb5742a65e53dc513"},{"introduced":"0"},{"last_affected":"c91cb76f8d84b2963f6ede2ef445ad46a6104216"},{"introduced":"0"},{"last_affected":"4bd69735af901266ec21486243fc206030caa6b9"},{"introduced":"0"},{"last_affected":"d4bb726b713658f56e630b6cf817a0155b6f390e"},{"introduced":"0"},{"last_affected":"8183c0532207ad0a9b9f99b659116218a9fa132b"},{"introduced":"0"},{"last_affected":"e11c22602af69e8139ec0649bb39f5a66d1e66a1"},{"introduced":"0"},{"last_affected":"81234c5ecaab58e03e346ebdbf5678e4b8a3db55"},{"introduced":"0"},{"last_affected":"55b2febff000595e6c5d8120ccb888855b7edb6f"},{"introduced":"0"},{"last_affected":"820605ba3c10b9f4dafc4e5d6e09765b8b31cbea"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.2.7"},{"introduced":"0"},{"last_affected":"2.3.0"},{"introduced":"0"},{"last_affected":"2.3.0-preview1"},{"introduced":"0"},{"last_affected":"2.3.0-preview2"},{"introduced":"0"},{"last_affected":"2.3.1"},{"introduced":"0"},{"last_affected":"2.3.2"},{"introduced":"0"},{"last_affected":"2.3.3"},{"introduced":"0"},{"last_affected":"2.3.4"},{"introduced":"0"},{"last_affected":"2.4.0"},{"introduced":"0"},{"last_affected":"2.4.0-preview1"},{"introduced":"0"},{"last_affected":"2.4.0-preview2"},{"introduced":"0"},{"last_affected":"2.4.0-preview3"},{"introduced":"0"},{"last_affected":"2.4.0-rc1"},{"introduced":"0"},{"last_affected":"2.4.1"}]}}],"versions":["v1.1.8","v1.2.0","v1.2.1","v1.2.2","v1.2.3","v1.4.0","v1.4.1","v1.4.2","v1.4.3","v1.4.4","v1.4.4-java","v1.4.5","v1.4.6","v1.5.0","v1.5.1","v1.5.2","v1.5.3","v1.5.4","v1.6.0","v1.6.1","v1.6.2","v1.6.3","v1.6.4","v1.6.5","v1.6.6","v1.6.7","v1.7.0","v1.7.1","v1.7.2","v1.7.3","v1.7.4","v1.7.5","v1.7.6","v1.7.7","v1.8.0","v1.8.1","v1.8.2","v1.8.3","v2.0.0","v2.0.1","v2.0.2"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.04"}]},{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"17.10"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4"}]},{"events":[{"introduced":"0"},{"last_affected":"7.6"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4"}]},{"events":[{"introduced":"0"},{"last_affected":"7.5"}]},{"events":[{"introduced":"0"},{"last_affected":"7.6"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4"}]},{"events":[{"introduced":"0"},{"last_affected":"7.6"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-14064.json","vanir_signatures":[{"signature_version":"v1","deprecated":false,"source":"https://github.com/ruby/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85","target":{"file":"ext/json/ext/generator/generator.c","function":"cState_array_nl_set"},"signature_type":"Function","id":"CVE-2017-14064-081830d4","digest":{"function_hash":"333850170000569990630816245825851334286","length":412}},{"signature_version":"v1","deprecated":false,"source":"https://github.com/ruby/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85","target":{"file":"ext/json/ext/generator/generator.c","function":"cState_indent_set"},"signature_type":"Function","id":"CVE-2017-14064-3bbe9110","digest":{"function_hash":"148811423845304250804089795861570238355","length":436}},{"signature_version":"v1","deprecated":false,"source":"https://github.com/ruby/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85","target":{"file":"ext/json/ext/generator/generator.c","function":"cState_object_nl_set"},"signature_type":"Function","id":"CVE-2017-14064-44119ad3","digest":{"function_hash":"235138498165329040769513923872404799455","length":413}},{"signature_version":"v1","deprecated":false,"source":"https://github.com/ruby/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85","target":{"file":"ext/json/ext/generator/generator.c","function":"cState_space_set"},"signature_type":"Function","id":"CVE-2017-14064-49101875","digest":{"function_hash":"231212006610800307331410088410461672189","length":434}},{"signature_version":"v1","deprecated":false,"source":"https://github.com/ruby/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85","target":{"file":"ext/json/ext/generator/generator.h"},"signature_type":"Line","id":"CVE-2017-14064-6910d9a7","digest":{"threshold":0.9,"line_hashes":["120904374308355083734111949005929042523","26452857847874449151212129149641036903"]}},{"signature_version":"v1","deprecated":false,"source":"https://github.com/ruby/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85","target":{"file":"ext/json/ext/generator/generator.c","function":"fstrndup"},"signature_type":"Function","id":"CVE-2017-14064-709f6fe5","digest":{"function_hash":"178352657454531393926190957860867963360","length":207}},{"signature_version":"v1","deprecated":false,"source":"https://github.com/ruby/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85","target":{"file":"ext/json/ext/generator/generator.c"},"signature_type":"Line","id":"CVE-2017-14064-bb2df37f","digest":{"threshold":0.9,"line_hashes":["203126428726097578240407651447407768962","193928348062049476056199914767292540998","18992539843680518976943110175587805218","318507856882490173243287007951430614995","331377055305598866239756616680018855666","178811035994741578769452089321787285767","203432646838676032209194061565332159502","79145566861867884141474191602216982759","14118550392830535240411748288371500960","141107907040637505627201232328272113840","4488029395062862805420548455971309090","216554920298105624124125028082587199942","58217186119402190294095398429532077133","154268555576477752669255655074285455849","116938978129615895259416110858600871365","26272765290950953135327040711027961691","42657249236710796016958936661343165221","187518194052195544513889556210237749823","335178387273758271688706615039113585731","59048560601979423467278544029286927301","12602922004186724451618902428544806050","211868815879659581706041366009915183192","173310494673434350338619270441623270086","275663103391244767528307132844466520875"]}},{"signature_version":"v1","deprecated":false,"source":"https://github.com/ruby/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85","target":{"file":"ext/json/ext/generator/generator.c","function":"cState_space_before_set"},"signature_type":"Function","id":"CVE-2017-14064-ffa02b53","digest":{"function_hash":"221211380026251280885482296555216767330","length":448}}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}