GitHub Advisory DatabaseGHSA-JVGM-PFQV-887XBundler allows attacker to inject arbitrary code via secondary Gem source
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.009 Low
EPSS
Percentile
82.6%
Bundler 1.x might allow remote attackers to inject arbitrary Ruby code into an application by leveraging a gem name collision on a secondary source. NOTE: this might overlap CVE-2013-0334.
Affected configurations
References
collectiveidea.com/blog/archives/2016/10/06/bundlers-multiple-source-security-vulnerability/
www.openwall.com/lists/oss-security/2016/10/04/5
www.openwall.com/lists/oss-security/2016/10/04/7
www.openwall.com/lists/oss-security/2016/10/05/3
bugzilla.redhat.com/show_bug.cgi?id=1381951
collectiveidea.com/blog/archives/2016/10/06/bundlers-multiple-source-security-vulnerability
github.com/advisories/GHSA-jvgm-pfqv-887x
github.com/bundler/bundler/issues/5051
github.com/bundler/bundler/issues/5062
github.com/rubysec/ruby-advisory-db/blob/master/gems/bundler/CVE-2016-7954.yml
nvd.nist.gov/vuln/detail/CVE-2016-7954
web.archive.org/web/20170214030311/www.securityfocus.com/bid/93423
Related
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.009 Low
EPSS
Percentile
82.6%