CVE-2020-36327
rubygem-bundler: Dependencies of gems with explicit source may be installed from a different source
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product.
Bundler versiones 1.16.0 hasta 2.2.9 y versiones 2.2.11 hasta 2.2.16, a veces elige una fuente de dependencia basada en el número de versión de una gema más alto, lo que significa que se puede elegir una gema falsa que se encuentre en una fuente pública, incluso si la elección deseada fue una gema privada que depende de otra gema privada de la que depende explícitamente la aplicación. NOTA: no es correcto usar CVE-2021-24105 para cada problema de "Dependency Confusion" en cada producto
A flaw was found in the way Bundler determined the source repository when installing dependencies of source-restricted gem packages. In configurations that use multiple gem repositories and explicitly define from which source repository certain gems are to be installed, a dependency of a source-restricted gem could be installed form a different source if that repository provided higher version of the package. This could lead to installation of a malicious gem version and arbitrary code execution.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-04-29 CVE Reserved
- 2021-04-29 CVE Published
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- 2024-09-01 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-494: Download of Code Without Integrity Check
CAPEC
References (9)
| URL | Tag | Source |
|---|---|---|
| https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things | Third Party Advisory |
| URL | Date | SRC |
|---|---|---|
| https://github.com/rubygems/rubygems/issues/3982 | 2024-08-04 | |
| https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327 | 2024-08-04 |
| URL | Date | SRC |
|---|---|---|
| https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105 | 2023-11-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Bundler Search vendor "Bundler" | Bundler Search vendor "Bundler" for product "Bundler" | >= 1.16.0 < 2.2.10 Search vendor "Bundler" for product "Bundler" and version " >= 1.16.0 < 2.2.10" | ruby |
Affected
| ||||||
| Bundler Search vendor "Bundler" | Bundler Search vendor "Bundler" for product "Bundler" | >= 2.2.11 <= 2.2.16 Search vendor "Bundler" for product "Bundler" and version " >= 2.2.11 <= 2.2.16" | ruby |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 34 Search vendor "Fedoraproject" for product "Fedora" and version "34" | - |
Affected
| ||||||
| Microsoft Search vendor "Microsoft" | Package Manager Configurations Search vendor "Microsoft" for product "Package Manager Configurations" | - | - |
Affected
| ||||||