Lucene search

K
cveMitreCVE-2020-36327
HistoryApr 29, 2021 - 3:15 a.m.

CVE-2020-36327

2021-04-2903:15:08
mitre
web.nvd.nist.gov
282
6
bundler
version 1.16.0
version 2.2.9
version 2.2.11
version 2.2.16
dependency confusion
cve-2020-36327
nvd

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8.3

Confidence

High

EPSS

0.011

Percentile

84.4%

Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every “Dependency Confusion” issue in every product.

Affected configurations

Nvd
Node
bundlerbundlerRange1.16.0–2.2.10ruby
OR
bundlerbundlerRange2.2.11–2.2.16ruby
Node
fedoraprojectfedoraMatch34
Node
microsoftpackage_manager_configurationsMatch-
VendorProductVersionCPE
bundlerbundler*cpe:2.3:a:bundler:bundler:*:*:*:*:*:ruby:*:*
fedoraprojectfedora34cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
microsoftpackage_manager_configurations-cpe:2.3:a:microsoft:package_manager_configurations:-:*:*:*:*:*:*:*

Social References

More

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8.3

Confidence

High

EPSS

0.011

Percentile

84.4%