CVE-2020-36327
CVSS v3.1
8.8 (High)
CVSS v2.0
9.3 (High)
EPSS
0.97 % (84th)
Affected Products
3
Advisories
16
Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product.
- CVE Status
- PUBLISHED
- CNA
- MITRE
- Published Date
-
2021-04-29 03:15:08
(3 years ago) - Updated Date
-
2023-11-07 03:22:14
(10 months ago)
Affected Products
Loading...
Loading...
Configuration #1
|
Configuration #2
|
Configuration #3
|
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...