[RUBYSEC:BUNDLER-2019-3881] Insecure path handling in Bundler
Severity
High
Affected Packages
2
Unaffected Packages
1
Fixed Packages
1
CVEs
1
Bundler prior to 2.1.0 uses a predictable path in /tmp/, created with
insecure permissions as a storage location for gems, if locations under the user's
home directory are not available. If Bundler is used in a scenario where the user
does not have a writable home directory, an attacker could place malicious code
in this directory that would be later loaded and executed.
| Package | Affected Version |
|---|---|
 pkg:gem/bundler
|
< 2.1.0 |
|
pkg:gem/bundler
|
= 1.14.0 |
| Package | Unaffected Version |
|---|---|
|
pkg:gem/bundler
|
< 1.14.0 |
| Package | Fixed Version |
|---|---|
|
pkg:gem/bundler
|
>= 2.1.0 |
- ID
- RUBYSEC:BUNDLER-2019-3881
- Severity
- high
- URL
- https://github.com/advisories/GHSA-g98m-96g9-wfjq
- Published
-
2018-04-23T00:00:00
(6 years ago) - Modified
-
2023-06-11T19:28:12
(15 months ago) - Rights
- RubySec Security Team
- Other Advisories
ALSA-2021:2588
ELSA-2021-2588
FREEBSD:A2A2B34D-52B4-11EB-87CB-001B217B3468
GLSA-202408-22
openSUSE-SU-2020:0803-1
RHSA-2021:2588
RLSA-2021:2588
SUSE-SU-2020:1582-1
USN-4870-1| Source | # ID | Name | URL |
|---|---|---|---|
| Security Advisory | GHSA-g98m-96g9-wfjq |
|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |