{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every \"Dependency Confusion\" issue in every product."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-07-29T02:06:19", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/rubygems/rubygems/issues/3982"}, {"tags": ["x_refsource_MISC"], "url": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105"}, {"tags": ["x_refsource_MISC"], "url": "https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html"}, {"tags": ["x_refsource_MISC"], "url": "https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327/"}, {"name": "FEDORA-2021-36cdab1f8d", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-36327", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every \"Dependency Confusion\" issue in every product."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/rubygems/rubygems/issues/3982", "refsource": "MISC", "url": "https://github.com/rubygems/rubygems/issues/3982"}, {"name": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105", "refsource": "MISC", "url": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105"}, {"name": "https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html", "refsource": "MISC", "url": "https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html"}, {"name": "https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things/", "refsource": "MISC", "url": "https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things/"}, {"name": "https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327/", "refsource": "MISC", "url": "https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327/"}, {"name": "FEDORA-2021-36cdab1f8d", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T17:23:10.451Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/rubygems/rubygems/issues/3982"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327/"}, {"name": "FEDORA-2021-36cdab1f8d", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-36327", "datePublished": "2021-04-29T02:28:54", "dateReserved": "2021-04-29T00:00:00", "dateUpdated": "2024-08-04T17:23:10.451Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bundler:bundler:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "B84C5D9C-16BD-4670-AF3E-5DCCB62276AB", "versionEndExcluding": "2.2.10", "versionStartIncluding": "1.16.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:bundler:bundler:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "01DEFBF9-648B-48E3-A88D-93A61FF8B965", "versionEndIncluding": "2.2.16", "versionStartIncluding": "2.2.11", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:package_manager_configurations:-:*:*:*:*:*:*:*", "matchCriteriaId": "71D274DE-99A4-4FC3-A43B-53A2D68A0E09", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every \"Dependency Confusion\" issue in every product."}, {"lang": "es", "value": "Bundler versiones 1.16.0 hasta 2.2.9 y versiones 2.2.11 hasta 2.2.16, a veces elige una fuente de dependencia basada en el n\u00famero de versi\u00f3n de una gema m\u00e1s alto, lo que significa que se puede elegir una gema falsa que se encuentre en una fuente p\u00fablica, incluso si la elecci\u00f3n deseada fue una gema privada que depende de otra gema privada de la que depende expl\u00edcitamente la aplicaci\u00f3n. NOTA: no es correcto usar CVE-2021-24105 para cada problema de \"Dependency Confusion\" en cada producto"}], "id": "CVE-2020-36327", "lastModified": "2024-11-21T05:29:17.540", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-04-29T03:15:08.710", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/rubygems/rubygems/issues/3982"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things/"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/rubygems/rubygems/issues/3982"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:3020", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "ruby:2.7-8040020210728141159.522a0ee4", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-08-05T00:00:00Z"}, {"advisory": "RHSA-2022:0543", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "ruby:2.6-8050020211215144356.c5368500", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-02-16T00:00:00Z"}, {"advisory": "RHSA-2022:0545", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "ruby:2.5-8050020220112131355.c5368500", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-02-16T00:00:00Z"}, {"advisory": "RHSA-2022:0548", "cpe": "cpe:/a:redhat:rhel_e4s:8.1", "package": "ruby:2.5-8010020220201125517.c27ad7f8", "product_name": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date": "2022-02-16T00:00:00Z"}, {"advisory": "RHSA-2022:0581", "cpe": "cpe:/a:redhat:rhel_e4s:8.1", "package": "ruby:2.6-8010020220201152941.c27ad7f8", "product_name": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date": "2022-02-21T00:00:00Z"}, {"advisory": "RHSA-2022:0547", "cpe": "cpe:/a:redhat:rhel_eus:8.2", "package": "ruby:2.5-8020020220201125131.4cda2c84", "product_name": "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date": "2022-02-16T00:00:00Z"}, {"advisory": "RHSA-2022:0582", "cpe": "cpe:/a:redhat:rhel_eus:8.2", "package": "ruby:2.6-8020020220201131207.4cda2c84", "product_name": "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date": "2022-02-21T00:00:00Z"}, {"advisory": "RHSA-2022:0544", "cpe": "cpe:/a:redhat:rhel_eus:8.4", "package": "ruby:2.6-8040020220131135901.522a0ee4", "product_name": "Red Hat Enterprise Linux 8.4 Extended Update Support", "release_date": "2022-02-16T00:00:00Z"}, {"advisory": "RHSA-2022:0546", "cpe": "cpe:/a:redhat:rhel_eus:8.4", "package": "ruby:2.5-8040020220201123518.522a0ee4", "product_name": "Red Hat Enterprise Linux 8.4 Extended Update Support", "release_date": "2022-02-16T00:00:00Z"}, {"advisory": "RHSA-2021:3559", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby27-ruby-0:2.7.4-130.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-09-20T00:00:00Z"}, {"advisory": "RHSA-2021:3982", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby30-ruby-0:3.0.2-148.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-10-25T00:00:00Z"}, {"advisory": "RHSA-2022:0708", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby26-ruby-0:2.6.9-120.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2022-02-28T00:00:00Z"}, {"advisory": "RHSA-2021:3559", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby27-ruby-0:2.7.4-130.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-09-20T00:00:00Z"}, {"advisory": "RHSA-2021:3982", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby30-ruby-0:3.0.2-148.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-10-25T00:00:00Z"}], "bugzilla": {"description": "rubygem-bundler: Dependencies of gems with explicit source may be installed from a different source", "id": "1958999", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1958999"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-494", "details": ["Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every \"Dependency Confusion\" issue in every product.", "A flaw was found in the way Bundler determined the source repository when installing dependencies of source-restricted gem packages. In configurations that use multiple gem repositories and explicitly define from which source repository certain gems are to be installed, a dependency of a source-restricted gem could be installed form a different source if that repository provided higher version of the package. This could lead to installation of a malicious gem version and arbitrary code execution."], "mitigation": {"lang": "en:us", "value": "This issue only affects configurations where gem packages are installed from multiple sources and the source repositories are explicitly defined for at least some gems. Dependencies of those source-restricted gems may be installed form a different repository, even if the same repository provides those dependencies, which is inconsistent with the intended behaviour described in the Bundler documentation.  There are multiple possible approaches to mitigate this issue - customers should evaluate which approaches are usable in their environments.\n* Explicitly define source for all dependency gems in the Gemfile configuration. When a dependency of a source-restricted gem is also to be installed form the same source, list such dependency explicitly in the Gemfile along with the specific source.\n* Avoid configurations with multiple source repositories. When using a private repository for non-public gems, use the same private repository to mirror any content required from any public gem repository, such as RubyGems.org. When preparing such mirror, ensure that no mirrored gems have names conflicting with names of the internal non-public gems.\n* Reserve internal package names in public repositories. For any internal private gem, also reserve the name in any public gem repository used, such as RubyGems.org. This will prevent attackers from registering those names and providing their malicious gems with higher versions.\nAdditional information about affected configurations can be found in the following Red Hat Knowledgebase article:\nhttps://access.redhat.com/articles/6206172"}, "name": "CVE-2020-36327", "package_state": [{"cpe": "cpe:/a:redhat:cloudforms_managementengine:5", "fix_state": "Will not fix", "package_name": "rubygem-bundler", "product_name": "CloudForms Management Engine 5"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "ruby", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Affected", "impact": "low", "package_name": "rubygem-bundler", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "rubygem-bundler", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "ruby", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-ruby25-rubygem-bundler", "product_name": "Red Hat Software Collections"}], "public_date": "2021-02-09T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-36327\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-36327\nhttps://access.redhat.com/articles/6206172\nhttps://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327/"], "statement": "Red Hat Satellite does not ship RubyGem bundler, however, the product consumes it from the Red Hat Software Collections (RHSCL) repository.", "threat_severity": "Important"}