2 results (0.004 seconds)

CVSS: 9.3EPSS: 1%CPEs: 4EXPL: 2

CVE-2020-36327 – rubygem-bundler: Dependencies of gems with explicit source may be installed from a different source

https://notcve.org/view.php?id=CVE-2020-36327

Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product. Bundler versiones 1.16.0 hasta 2.2.9 y versiones 2.2.11 hasta 2.2.16, a veces elige una fuente de dependencia basada en el número de versión de una gema más alto, lo que significa que se puede elegir una gema falsa que se encuentre en una fuente pública, incluso si la elección deseada fue una gema privada que depende de otra gema privada de la que depende explícitamente la aplicación. NOTA: no es correcto usar CVE-2021-24105 para cada problema de "Dependency Confusion" en cada producto A flaw was found in the way Bundler determined the source repository when installing dependencies of source-restricted gem packages. In configurations that use multiple gem repositories and explicitly define from which source repository certain gems are to be installed, a dependency of a source-restricted gem could be installed form a different source if that repository provided higher version of the package. • https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html https://github.com/rubygems/rubygems/issues/3982 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105 https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve • CWE-494: Download of Code Without Integrity Check •

CVSS: 8.4EPSS: 1%CPEs: 1EXPL: 0

CVE-2021-24105 – Package Managers Configurations Remote Code Execution Vulnerability

https://notcve.org/view.php?id=CVE-2021-24105

<p>Depending on configuration of various package managers it is possible for an attacker to insert a malicious package into a package manager's repository which can be retrieved and used during development, build, and release processes. This insertion could lead to remote code execution. We believe this vulnerability affects multiple package managers across multiple languages, including but not limited to: Python/pip, .NET/NuGet, Java/Maven, JavaScript/npm.</p> <p><strong>Attack scenarios</strong></p> <p>An attacker could take advantage of this ecosystem-wide issue to cause harm in a variety of ways. The original attack scenarios were discovered by Alex Birsan and are detailed in their whitepaper, <a href="https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610">Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies</a>. • https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24105 •