PT-2026-26298 · Ruby+1 · Ruby+2

Davidkorczynski

·

Publicado

2026-03-19

·

Atualizado

2026-05-26

·

CVE-2026-33210

CVSS v3.1

9.8

Crítica

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Ruby JSON versions 2.14.0 through 2.15.2 Ruby JSON versions 2.17.1 through 2.17.1.2 Ruby JSON versions 2.19.0 through 2.19.2
Description Ruby JSON is a JSON implementation for Ruby. A format string injection issue exists when the allow duplicate key: false parsing option is used to parse user-supplied documents. This can lead to denial of service attacks or information disclosure. The allow duplicate key: false option is not enabled by default, so users who have not specifically enabled it are not affected.
Recommendations Ruby JSON versions 2.14.0 through 2.15.2: Update to version 2.15.2.1 or later. Ruby JSON versions 2.17.1 through 2.17.1.2: Update to version 2.17.1.2 or later. Ruby JSON versions 2.19.0 through 2.19.2: Update to version 2.19.2 or later. Avoid using the allow duplicate key: false parsing option.

Exploit

Correção

DoS

Use of Externally-Controlled Format String

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-134

Identificadores relacionados

ALSA-2026:20596
ALSA-2026:20606
CLEANSTART-2026-CQ39708
CLEANSTART-2026-DV49899
CLEANSTART-2026-GE08280
CLEANSTART-2026-OQ84658
CLEANSTART-2026-RZ30606
CVE-2026-33210
GHSA-3M6G-2423-7CP3
RHSA-2026:20596
RHSA-2026:20606

Produtos afetados

Json
Rocky Linux
Ruby