Published: 29/04/2021 Updated: 07/11/2023

CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6

CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8

VMScore: 829

Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Bundler 1.16.0 up to and including 2.2.9 and 2.2.11 up to and including 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product.

Vulnerable Product	Search on Vulmon	Subscribe to Product
bundler bundler
fedoraproject fedora 34
microsoft package manager configurations -

Synopsis Important: ruby:25 security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for the ruby:25 module is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update ...

Synopsis Important: ruby:26 security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for the ruby:26 module is now available for Red Hat Enterprise Linux 84 Extended Update SupportRed Hat Product Secu ...

Synopsis Important: rh-ruby26-ruby security, bug fix, and enhancement update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for rh-ruby26-ruby is now available for Red Hat Software CollectionsRed Hat Product S ...

Bundler 1160 through 229 and 2211 through 2216 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application NOTE: ...

OLD and Vuln WebPageTheme for my personal notes about information technology and cyber security

Acervo de TI - Matheus Laidler's Project PORTUGUESE [PT-BR] Sobre> ** Att: Virou uma página de tema jekyll editado, que eu usava antes Iria ser usado como minha pagina de rascunho, mas desisti Por eu ter parado de usar - até por supostamente ter erros que quero explorar antes de corrigí-los -, passei a usar e criar meus materiais no gitbook (

OLD and Vuln WebPageTheme for my personal notes about information technology and cyber security

NVD-CWE-noinfo https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105 https://github.com/rubygems/rubygems/issues/3982 https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things/https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL/https://nvd.nist.gov https://access.redhat.com/errata/RHSA-2022:0545 https://github.com/matheuslaidler/TechPage-Jekyll https://access.redhat.com/security/cve/cve-2020-36327

Get Started

CVE-2020-36327

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect