GHSA-fp4w-jxhp-m23p

Suggest an improvement
Source
https://github.com/advisories/GHSA-fp4w-jxhp-m23p
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-fp4w-jxhp-m23p/GHSA-fp4w-jxhp-m23p.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-fp4w-jxhp-m23p
Aliases
Published
2021-05-24T18:12:33Z
Modified
2024-02-20T05:27:26.811694Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Dependency Confusion in Bundler
Details

Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.17 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application.

References

Affected packages

RubyGems / bundler

Package

Name
bundler
Purl
pkg:gem/bundler

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.16.0
Fixed
2.2.10

Affected versions

1.*

1.16.0
1.16.1
1.16.2
1.16.3
1.16.4
1.16.5
1.16.6
1.17.0.pre.1
1.17.0.pre.2
1.17.0
1.17.1
1.17.2
1.17.3

2.*

2.0.0.pre.1
2.0.0.pre.2
2.0.0.pre.3
2.0.0
2.0.1
2.0.2
2.1.0.pre.1
2.1.0.pre.2
2.1.0.pre.3
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.2.0.rc.1
2.2.0.rc.2
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9

RubyGems / bundler

Package

Name
bundler
Purl
pkg:gem/bundler

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.2.11
Fixed
2.2.18

Affected versions

2.*

2.2.11
2.2.12
2.2.13
2.2.14
2.2.15
2.2.16
2.2.17