[RUBYSEC:BUNDLER-2019-3881] Insecure path handling in Bundler
Severity
High
Affected Packages
2
Unaffected Packages
1
Fixed Packages
1
CVEs
1
Bundler prior to 2.1.0 uses a predictable path in /tmp/, created with
insecure permissions as a storage location for gems, if locations under the user's
home directory are not available. If Bundler is used in a scenario where the user
does not have a writable home directory, an attacker could place malicious code
in this directory that would be later loaded and executed.
Package | Affected Version |
---|---|
pkg:gem/bundler | < 2.1.0 |
pkg:gem/bundler | = 1.14.0 |
Package | Unaffected Version |
---|---|
pkg:gem/bundler | < 1.14.0 |
Package | Fixed Version |
---|---|
pkg:gem/bundler | >= 2.1.0 |
- ID
- RUBYSEC:BUNDLER-2019-3881
- Severity
- high
- URL
- https://github.com/advisories/GHSA-g98m-96g9-wfjq
- Published
-
2018-04-23T00:00:00
(6 years ago) - Modified
-
2023-06-11T19:28:12
(15 months ago) - Rights
- RubySec Security Team
- Other Advisories
Source | # ID | Name | URL |
---|---|---|---|
Security Advisory | GHSA-g98m-96g9-wfjq | https://github.com/advisories/GHSA-g98m-96g9-wfjq |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |