5 results (0.004 seconds)

CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 2

`Bundler` is a package for managing application dependencies in Ruby. In `bundler` versions before 2.2.33, when working with untrusted and apparently harmless `Gemfile`'s, it is not expected that they lead to execution of external code, unless that's explicit in the ruby code inside the `Gemfile` itself. However, if the `Gemfile` includes `gem` entries that use the `git` option with invalid, but seemingly harmless, values with a leading dash, this can be false. To handle dependencies that come from a Git repository instead of a registry, Bundler uses various commands, such as `git clone`. These commands are being constructed using user input (e.g. the repository URL). • https://github.com/rubygems/rubygems/commit/0fad1ccfe9dd7a3c5b82c1496df3c2b4842870d3 https://github.com/rubygems/rubygems/commit/a4f2f8ac17e6ce81c689527a8b6f14381060d95f https://github.com/rubygems/rubygems/pull/5142 https://github.com/rubygems/rubygems/security/advisories/GHSA-fj7f-vq84-fh43 https://www.sonarsource.com/blog/securing-developer-tools-package-managers • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •

CVSS: 9.3EPSS: 1%CPEs: 4EXPL: 2

Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product. Bundler versiones 1.16.0 hasta 2.2.9 y versiones 2.2.11 hasta 2.2.16, a veces elige una fuente de dependencia basada en el número de versión de una gema más alto, lo que significa que se puede elegir una gema falsa que se encuentre en una fuente pública, incluso si la elección deseada fue una gema privada que depende de otra gema privada de la que depende explícitamente la aplicación. NOTA: no es correcto usar CVE-2021-24105 para cada problema de "Dependency Confusion" en cada producto A flaw was found in the way Bundler determined the source repository when installing dependencies of source-restricted gem packages. In configurations that use multiple gem repositories and explicitly define from which source repository certain gems are to be installed, a dependency of a source-restricted gem could be installed form a different source if that repository provided higher version of the package. • https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html https://github.com/rubygems/rubygems/issues/3982 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105 https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve • CWE-494: Download of Code Without Integrity Check •

CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0

Bundler prior to 2.1.0 uses a predictable path in /tmp/, created with insecure permissions as a storage location for gems, if locations under the user's home directory are not available. If Bundler is used in a scenario where the user does not have a writable home directory, an attacker could place malicious code in this directory that would be later loaded and executed. Bundler versiones anteriores a 2.1.0, usa una ruta predecible en /tmp/, creada con permisos no seguros como una ubicación de almacenamiento para gemas, si las ubicaciones en el directorio de inicio del usuario no están disponibles. Si Bundler es usado en un escenario donde el usuario no posee un directorio de inicio de escritura, un atacante podría colocar un código malicioso en este directorio que luego podría ser cargado y ejecutado • https://bugzilla.redhat.com/show_bug.cgi?id=1651826 https://access.redhat.com/security/cve/CVE-2019-3881 • CWE-427: Uncontrolled Search Path Element •

CVSS: 9.8EPSS: 0%CPEs: 183EXPL: 1

Bundler 1.x might allow remote attackers to inject arbitrary Ruby code into an application by leveraging a gem name collision on a secondary source. NOTE: this might overlap CVE-2013-0334. Bundler 1.x podría permitir a atacantes remotos inyectar código Ruby arbitrario en una aplicación aprovechando una colisión de nombres de gemas en una fuente secundaria. NOTA: esto podría solapar CVE-2013-0334. • http://collectiveidea.com/blog/archives/2016/10/06/bundlers-multiple-source-security-vulnerability http://www.openwall.com/lists/oss-security/2016/10/04/5 http://www.openwall.com/lists/oss-security/2016/10/04/7 http://www.openwall.com/lists/oss-security/2016/10/05/3 http://www.securityfocus.com/bid/93423 https://bugzilla.redhat.com/show_bug.cgi?id=1381951 https://github.com/bundler/bundler/issues/5051 https://github.com/bundler/bundler/issues/5062 • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 5.1EPSS: 0%CPEs: 6EXPL: 0

Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source. Bundler anterior a 1.7, cuando múltiples líneas de fuentes del máximo nivel están utilizadas, permite a atacantes remotos instalar gemas arbitrarias con el mismo nombre como otra gema en una fuente diferente. A flaw was found in the way Bundler handled gems available from multiple sources. An attacker with access to one of the sources could create a malicious gem with the same name, which they could then use to trick a user into installing, potentially resulting in execution of code from the attacker-supplied malicious gem. • http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140609.html http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140654.html http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140655.html http://lists.opensuse.org/opensuse-updates/2015-03/msg00092.html http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html http&# • CWE-20: Improper Input Validation CWE-345: Insufficient Verification of Data Authenticity •