[RUBYSEC:BUNDLER-2020-36327] Dependency Confusion in Bundler with Implicit Private Dependencies

Severity High

Affected Packages 2

Unaffected Packages 1

Fixed Packages 2

CVEs 2

Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.17 sometimes chooses a
dependency source based on the highest gem version number, which means that a
rogue gem found at a public source may be chosen, even if the intended choice
was a private gem that is a dependency of another private gem that is
explicitly depended on by the application.

Package	Affected Version
pkg:gem/bundler	< 2.2.18
pkg:gem/bundler	= 1.16.0

Package	Unaffected Version
pkg:gem/bundler	< 1.16.0

Package	Fixed Version
pkg:gem/bundler	= 2.2.10
pkg:gem/bundler	>= 2.2.18

ID

RUBYSEC:BUNDLER-2020-36327

Severity

high

URL

https://github.com/rubygems/rubygems/issues/3982

Published

2020-09-30T00:00:00
(4 years ago)

Modified

2023-07-11T00:21:50
(14 months ago)

Rights

RubySec Security Team

Other Advisories

Source	# ID	URL
Security Advisory	GHSA-fp4w-jxhp-m23p	https://github.com/advisories/GHSA-fp4w-jxhp-m23p
		https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html
		https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things/
		https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327/
		https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105
		https://github.com/rubygems/rubygems/pull/4609

Type	Package URL	Name / Product	Version
Fixed	pkg:gem/bundler	bundler	= 2.2.10
Fixed	pkg:gem/bundler	bundler	>= 2.2.18
Affected	pkg:gem/bundler	bundler	< 2.2.18
Unaffected	pkg:gem/bundler	bundler	< 1.16.0
Affected	pkg:gem/bundler	bundler	= 1.16.0

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date