CVE-2020-36327

Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product.

CVSS v3 8.8 HIGH
CVSS v2.0 9.3 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

9.3^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:M/Au:N/C:C/I:C/A:C

Exploitability : 8.6 / Impact : 10.0

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html	Vendor Advisory
https://github.com/rubygems/rubygems/issues/3982	Exploit Issue Tracking Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL/
https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things/	Third Party Advisory
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105	Patch Vendor Advisory
https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327/	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:bundler:bundler::::::ruby::*
	cpe:2.3:a:bundler:bundler::::::ruby::*

Configuration 2 (hide)

cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:a:microsoft:package_manager_configurations:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2021-04-29 03:15

Updated : 2023-11-07 03:22

NVD link : CVE-2020-36327

Mitre link : CVE-2020-36327

CVE.ORG link : CVE-2020-36327

JSON object : View

Products Affected

microsoft

package_manager_configurations

fedoraproject

fedora

bundler

bundler

CWE

NVD-CWE-noinfo

{"id": "CVE-2020-36327", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 9.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2021-04-29T03:15:08.710", "references": [{"url": "https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/rubygems/rubygems/issues/3982", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL/", "source": "cve@mitre.org"}, {"url": "https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every \"Dependency Confusion\" issue in every product."}, {"lang": "es", "value": "Bundler versiones 1.16.0 hasta 2.2.9 y versiones 2.2.11 hasta 2.2.16, a veces elige una fuente de dependencia basada en el n\u00famero de versi\u00f3n de una gema m\u00e1s alto, lo que significa que se puede elegir una gema falsa que se encuentre en una fuente p\u00fablica, incluso si la elecci\u00f3n deseada fue una gema privada que depende de otra gema privada de la que depende expl\u00edcitamente la aplicaci\u00f3n. NOTA: no es correcto usar CVE-2021-24105 para cada problema de \"Dependency Confusion\" en cada producto"}], "lastModified": "2023-11-07T03:22:14.687", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:bundler:bundler:*:*:*:*:*:ruby:*:*", "vulnerable": true, "matchCriteriaId": "B84C5D9C-16BD-4670-AF3E-5DCCB62276AB", "versionEndExcluding": "2.2.10", "versionStartIncluding": "1.16.0"}, {"criteria": "cpe:2.3:a:bundler:bundler:*:*:*:*:*:ruby:*:*", "vulnerable": true, "matchCriteriaId": "01DEFBF9-648B-48E3-A88D-93A61FF8B965", "versionEndIncluding": "2.2.16", "versionStartIncluding": "2.2.11"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:package_manager_configurations:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "71D274DE-99A4-4FC3-A43B-53A2D68A0E09"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}