Critical severity9.8NVD Advisory· Published Aug 31, 2017· Updated Jun 17, 2026
CVE-2017-14064
CVE-2017-14064
Description
Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call. The issues lies in using strdup in ext/json/ext/generator/generator.c, which will stop after encountering a '\0' byte, returning a pointer to a string of length zero, which is not the length stored in space_len.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
51cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*+ 13 more
- cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*range: <=2.2.7
- cpe:2.3:a:ruby-lang:ruby:2.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:2.3.0:preview1:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:2.3.0:preview2:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:2.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:2.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:2.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:2.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:2.4.0:preview1:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:2.4.0:preview2:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:2.4.0:preview3:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:2.4.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:2.4.1:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*+ 2 more
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
- osv-coords21 versionspkg:rpm/suse/ruby2.1&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/ruby2.1&distro=SUSE%20Enterprise%20Storage%205pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/ruby2.1&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/ruby2.1&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/ruby2.1&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/yast2-ruby-bindings&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/yast2-ruby-bindings&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/yast2-ruby-bindings&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/yast2-ruby-bindings&distro=SUSE%20OpenStack%20Cloud%207
< 2.1.9-19.3.2+ 20 more
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 3.1.53-9.8.1
- (no CPE)range: < 3.1.53-9.8.1
- (no CPE)range: < 3.1.53-9.8.1
- (no CPE)range: < 3.1.53-9.8.1
Patches
Vulnerability mechanics
References
16- bugs.ruby-lang.org/issues/13853nvdIssue TrackingPatchVendor Advisory
- github.com/flori/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85nvdIssue TrackingPatchThird Party Advisory
- hackerone.com/reports/209949nvdExploitThird Party Advisory
- www.securityfocus.com/bid/100890nvdThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1039363nvdThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1042004nvdThird Party AdvisoryVDB Entry
- access.redhat.com/errata/RHSA-2017:3485nvdThird Party Advisory
- access.redhat.com/errata/RHSA-2018:0378nvdThird Party Advisory
- access.redhat.com/errata/RHSA-2018:0583nvdThird Party Advisory
- access.redhat.com/errata/RHSA-2018:0585nvdThird Party Advisory
- lists.debian.org/debian-lts-announce/2018/07/msg00012.htmlnvdMailing ListThird Party Advisory
- security.gentoo.org/glsa/201710-18nvdThird Party Advisory
- usn.ubuntu.com/3685-1/nvdThird Party Advisory
- www.debian.org/security/2017/dsa-3966nvdThird Party Advisory
- www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-released/nvdVendor Advisory
- www.ruby-lang.org/en/news/2017/09/14/ruby-2-3-5-released/nvdVendor Advisory
News mentions
0No linked articles in our index yet.