Vulnerability DatabaseCVE-2020-36327
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2020-36327
April 29, 2021
Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product.
Affected Packages
bundler (RUBY):
Affected version(s) >=2.2.11 <2.2.18
Fix Suggestion:
Update to version 2.2.18
bundler (RUBY):
Affected version(s) >=1.16.0 <2.2.10
Fix Suggestion:
Update to version 2.2.10
Related ResourcesĀ (16)
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105
https://github.com/rubygems/rubygems/commit/078bf682ac40017b309b5fc69f283ff640e7c129
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL
https://github.com/rubygems/rubygems
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL/
https://access.redhat.com/security/cve/CVE-2020-36327
https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2218-may-25-2021
https://github.com/rubygems/rubygems/pull/4609
https://github.com/rubygems/rubygems/issues/3982
https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327/
https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bundler/CVE-2020-36327.yml
https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327
https://nvd.nist.gov/vuln/detail/CVE-2020-36327
https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things
https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things/
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
8.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
CVSS v2
Base Score:
9.3
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
EPSS
Base Score:
24.73