8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.01 Low
EPSS
Percentile
83.1%
A flaw was found in the way Bundler determined the source repository when installing dependencies of source-restricted gem packages. In configurations that use multiple gem repositories and explicitly define from which source repository certain gems are to be installed, a dependency of a source-restricted gem could be installed form a different source if that repository provided higher version of the package. This could lead to installation of a malicious gem version and arbitrary code execution.
This issue only affects configurations where gem packages are installed from multiple sources and the source repositories are explicitly defined for at least some gems. Dependencies of those source-restricted gems may be installed form a different repository, even if the same repository provides those dependencies, which is inconsistent with the intended behaviour described in the Bundler documentation. There are multiple possible approaches to mitigate this issue - customers should evaluate which approaches are usable in their environments.
Explicitly define source for all dependency gems in the Gemfile configuration. When a dependency of a source-restricted gem is also to be installed form the same source, list such dependency explicitly in the Gemfile along with the specific source.
Avoid configurations with multiple source repositories. When using a private repository for non-public gems, use the same private repository to mirror any content required from any public gem repository, such as RubyGems.org. When preparing such mirror, ensure that no mirrored gems have names conflicting with names of the internal non-public gems.
Reserve internal package names in public repositories. For any internal private gem, also reserve the name in any public gem repository used, such as RubyGems.org. This will prevent attackers from registering those names and providing their malicious gems with higher versions.
Additional information about affected configurations can be found in the following Red Hat Knowledgebase article:
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.01 Low
EPSS
Percentile
83.1%