Lucene search

K
veracodeVeracode Vulnerability DatabaseVERACODE:30297
HistoryApr 30, 2021 - 2:34 a.m.

Dependency Confusion

2021-04-3002:34:33
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
45
dependency confusion
software
package installer

EPSS

0.01

Percentile

83.6%

Bundler is vulnerable to dependency confusion. The way of choosing a dependency source based on the highest gem version number by the package installer results in pulling a malicious gem from a public repository instead of its intended private gem even if it is a dependency of another private gem.

Affected configurations

Vulners
Node
-rh-ruby26-rubyMatch2.6.2_118.el7
OR
bundlerbundlerRange2.2.13
VendorProductVersionCPE
-rh-ruby26-ruby2.6.2_118.el7cpe:2.3:a:-:rh-ruby26-ruby:2.6.2_118.el7:*:*:*:*:*:*:*
bundlerbundler*cpe:2.3:a:bundler:bundler:*:*:*:*:*:*:*:*