2 matches found
CVE-2020-36327
Bundler (Ruby) versions 1.16.0–2.2.9 and 2.2.11–2.2.17 are vulnerable to dependency-confusion: a rogue gem at a public source can be chosen if it has a higher version, potentially replacing an intended private gem. This is the issue described as CVE-2020-36327, with confirmed remediation upstream...
CVE-2021-24105
CVE-2021-24105 describes an ecosystem-wide dependency confusion vulnerability: attackers can publish high-version or malicious packages to public repositories that are pulled over private ones during development, build, or release, enabling remote code execution. Affected behavior depends on pack...