Lucene search

GitHub Advisory DatabaseGHSA-FP4W-JXHP-M23P

HistoryMay 24, 2021 - 6:12 p.m.

Dependency Confusion in Bundler

2021-05-2418:12:33

GitHub Advisory Database

github.com

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.01 Low

EPSS

Percentile

83.1%

JSON

Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.17 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application.

CPENameOperatorVersion
bundlerlt2.2.18
bundlerge1.16.0
bundlerlt2.2.10

Name	Operator	Version
bundler	lt	2.2.18
bundler	ge	1.16.0
bundler	lt	2.2.10

References

bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html

github.com/advisories/GHSA-fp4w-jxhp-m23p

github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2218-may-25-2021

github.com/rubygems/rubygems/commit/078bf682ac40017b309b5fc69f283ff640e7c129

github.com/rubygems/rubygems/issues/3982

github.com/rubygems/rubygems/pull/4609

github.com/rubysec/ruby-advisory-db/blob/master/gems/bundler/CVE-2020-36327.yml

lists.fedoraproject.org/archives/list/[email protected]/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL/

mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things/

msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105

nvd.nist.gov/vuln/detail/CVE-2020-36327

www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327/

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.01 Low

EPSS

Percentile

83.1%

JSON

Related for GHSA-FP4W-JXHP-M23P