[RUBYSEC:BUNDLER-2020-36327] Dependency Confusion in Bundler with Implicit Private Dependencies
Severity
High
Affected Packages
2
Unaffected Packages
1
Fixed Packages
2
CVEs
2
Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.17 sometimes chooses a
dependency source based on the highest gem version number, which means that a
rogue gem found at a public source may be chosen, even if the intended choice
was a private gem that is a dependency of another private gem that is
explicitly depended on by the application.
Package | Affected Version |
---|---|
pkg:gem/bundler | < 2.2.18 |
pkg:gem/bundler | = 1.16.0 |
Package | Unaffected Version |
---|---|
pkg:gem/bundler | < 1.16.0 |
Package | Fixed Version |
---|---|
pkg:gem/bundler | = 2.2.10 |
pkg:gem/bundler | >= 2.2.18 |
- ID
- RUBYSEC:BUNDLER-2020-36327
- Severity
- high
- URL
- https://github.com/rubygems/rubygems/issues/3982
- Published
-
2020-09-30T00:00:00
(4 years ago) - Modified
-
2023-07-11T00:21:50
(14 months ago) - Rights
- RubySec Security Team
- Other Advisories
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |