Description

Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product.

Related CPE's

a

bundler

bundler

2

o

fedoraproject

fedora

34

Vulnerable

a

microsoft

package_manager_configurations

-

Vulnerable

References

https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html

Vendor Advisory

https://github.com/rubygems/rubygems/issues/3982

ExploitIssue TrackingThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL/

https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things/

Third Party Advisory

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105

PatchVendor Advisory

https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327/

ExploitThird Party Advisory

Weaknesses

[email protected]

Primary
NVD-CWE-noinfo

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.8 · High

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Modified

Published

2021-04-29T03:15:08.710

4 years ago

Last modified

2023-11-07T03:22:14.687

1 year ago