CVE-2016-7954: Code Injection
First published: Wed Oct 05 2016(Updated: )
A vulnerability was found in Bundler. Bundler allows the user to specify sources from which Ruby gems are installed. If a secondary source is specified, even if scoped to a specific gem, that source is silently applied to all declared gems. This allows an attacker to introduce arbitrary code into an application via gem name collision on the secondary source, which will unexpectedly (and without warning) take priority over the primary source. CVE request: <a href="http://seclists.org/oss-sec/2016/q4/18">http://seclists.org/oss-sec/2016/q4/18</a> CVE assignment: <a href="http://seclists.org/oss-sec/2016/q4/20">http://seclists.org/oss-sec/2016/q4/20</a> References: <a href="http://seclists.org/oss-sec/2016/q4/25">http://seclists.org/oss-sec/2016/q4/25</a>
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Bundler Bundler | =1.0.0 | |
| Bundler Bundler | =1.0.0-beta1 | |
| Bundler Bundler | =1.0.0-beta10 | |
| Bundler Bundler | =1.0.0-beta6 | |
| Bundler Bundler | =1.0.0-beta7 | |
| Bundler Bundler | =1.0.0-beta8 | |
| Bundler Bundler | =1.0.0-beta9 | |
| Bundler Bundler | =1.0.0-rc1 | |
| Bundler Bundler | =1.0.0-rc2 | |
| Bundler Bundler | =1.0.0-rc3 | |
| Bundler Bundler | =1.0.0-rc4 | |
| Bundler Bundler | =1.0.0-rc5 | |
| Bundler Bundler | =1.0.0-rc6 | |
| Bundler Bundler | =1.0.1 | |
| Bundler Bundler | =1.0.2 | |
| Bundler Bundler | =1.0.3 | |
| Bundler Bundler | =1.0.4 | |
| Bundler Bundler | =1.0.5 | |
| Bundler Bundler | =1.0.6 | |
| Bundler Bundler | =1.0.7 | |
| Bundler Bundler | =1.0.8 | |
| Bundler Bundler | =1.0.9 | |
| Bundler Bundler | =1.0.10 | |
| Bundler Bundler | =1.0.11 | |
| Bundler Bundler | =1.0.12 | |
| Bundler Bundler | =1.0.13 | |
| Bundler Bundler | =1.0.14 | |
| Bundler Bundler | =1.0.15 | |
| Bundler Bundler | =1.0.16 | |
| Bundler Bundler | =1.0.17 | |
| Bundler Bundler | =1.0.18 | |
| Bundler Bundler | =1.0.19-rc | |
| Bundler Bundler | =1.0.20 | |
| Bundler Bundler | =1.0.20-rc | |
| Bundler Bundler | =1.0.21 | |
| Bundler Bundler | =1.0.21-rc | |
| Bundler Bundler | =1.1-pre | |
| Bundler Bundler | =1.1-pre1 | |
| Bundler Bundler | =1.1-pre10 | |
| Bundler Bundler | =1.1-pre2 | |
| Bundler Bundler | =1.1-pre3 | |
| Bundler Bundler | =1.1-pre4 | |
| Bundler Bundler | =1.1-pre5 | |
| Bundler Bundler | =1.1-pre6 | |
| Bundler Bundler | =1.1-pre7 | |
| Bundler Bundler | =1.1-pre8 | |
| Bundler Bundler | =1.1-pre9 | |
| Bundler Bundler | =1.1-rc | |
| Bundler Bundler | =1.1-rc2 | |
| Bundler Bundler | =1.1-rc3 | |
| Bundler Bundler | =1.1-rc4 | |
| Bundler Bundler | =1.1-rc5 | |
| Bundler Bundler | =1.1-rc6 | |
| Bundler Bundler | =1.1-rc7 | |
| Bundler Bundler | =1.1-rc8 | |
| Bundler Bundler | =1.1.0 | |
| Bundler Bundler | =1.1.1 | |
| Bundler Bundler | =1.1.2 | |
| Bundler Bundler | =1.1.3 | |
| Bundler Bundler | =1.1.4 | |
| Bundler Bundler | =1.1.5 | |
| Bundler Bundler | =1.2.0 | |
| Bundler Bundler | =1.2.0-pre | |
| Bundler Bundler | =1.2.0-pre1 | |
| Bundler Bundler | =1.2.0-rc | |
| Bundler Bundler | =1.2.0-rc2 | |
| Bundler Bundler | =1.2.1 | |
| Bundler Bundler | =1.2.2 | |
| Bundler Bundler | =1.2.3 | |
| Bundler Bundler | =1.2.4 | |
| Bundler Bundler | =1.2.5 | |
| Bundler Bundler | =1.3.0 | |
| Bundler Bundler | =1.3.0-pre | |
| Bundler Bundler | =1.3.0-pre2 | |
| Bundler Bundler | =1.3.0-pre3 | |
| Bundler Bundler | =1.3.0-pre4 | |
| Bundler Bundler | =1.3.0-pre5 | |
| Bundler Bundler | =1.3.0-pre6 | |
| Bundler Bundler | =1.3.0-pre7 | |
| Bundler Bundler | =1.3.0-pre8 | |
| Bundler Bundler | =1.3.1 | |
| Bundler Bundler | =1.3.2 | |
| Bundler Bundler | =1.3.3 | |
| Bundler Bundler | =1.3.4 | |
| Bundler Bundler | =1.3.5 | |
| Bundler Bundler | =1.3.6 | |
| Bundler Bundler | =1.4.0-pre1 | |
| Bundler Bundler | =1.4.0-rc1 | |
| Bundler Bundler | =1.5.0 | |
| Bundler Bundler | =1.5.0-rc1 | |
| Bundler Bundler | =1.5.0-rc2 | |
| Bundler Bundler | =1.5.1 | |
| Bundler Bundler | =1.5.2 | |
| Bundler Bundler | =1.5.3 | |
| Bundler Bundler | =1.6.0 | |
| Bundler Bundler | =1.6.1 | |
| Bundler Bundler | =1.6.2 | |
| Bundler Bundler | =1.6.3 | |
| Bundler Bundler | =1.6.4 | |
| Bundler Bundler | =1.6.5 | |
| Bundler Bundler | =1.6.6 | |
| Bundler Bundler | =1.6.7 | |
| Bundler Bundler | =1.7.0 | |
| Bundler Bundler | =1.7.1 | |
| Bundler Bundler | =1.7.2 | |
| Bundler Bundler | =1.7.3 | |
| Bundler Bundler | =1.7.4 | |
| Bundler Bundler | =1.7.5 | |
| Bundler Bundler | =1.7.6 | |
| Bundler Bundler | =1.7.7 | |
| Bundler Bundler | =1.7.8 | |
| Bundler Bundler | =1.7.9 | |
| Bundler Bundler | =1.7.10 | |
| Bundler Bundler | =1.7.11 | |
| Bundler Bundler | =1.7.12 | |
| Bundler Bundler | =1.7.13 | |
| Bundler Bundler | =1.7.14 | |
| Bundler Bundler | =1.7.15 | |
| Bundler Bundler | =1.8.0 | |
| Bundler Bundler | =1.8.0-pre | |
| Bundler Bundler | =1.8.0-rc | |
| Bundler Bundler | =1.8.1 | |
| Bundler Bundler | =1.8.2 | |
| Bundler Bundler | =1.8.3 | |
| Bundler Bundler | =1.8.4 | |
| Bundler Bundler | =1.8.5 | |
| Bundler Bundler | =1.8.6 | |
| Bundler Bundler | =1.8.7 | |
| Bundler Bundler | =1.8.8 | |
| Bundler Bundler | =1.8.9 | |
| Bundler Bundler | =1.9.0 | |
| Bundler Bundler | =1.9.0-pre | |
| Bundler Bundler | =1.9.0-pre1 | |
| Bundler Bundler | =1.9.0-rc | |
| Bundler Bundler | =1.9.1 | |
| Bundler Bundler | =1.9.2 | |
| Bundler Bundler | =1.9.3 | |
| Bundler Bundler | =1.9.4 | |
| Bundler Bundler | =1.9.5 | |
| Bundler Bundler | =1.9.6 | |
| Bundler Bundler | =1.9.7 | |
| Bundler Bundler | =1.9.8 | |
| Bundler Bundler | =1.9.9 | |
| Bundler Bundler | =1.9.10 | |
| Bundler Bundler | =1.10.0 | |
| Bundler Bundler | =1.10.0-pre | |
| Bundler Bundler | =1.10.0-pre1 | |
| Bundler Bundler | =1.10.0-pre2 | |
| Bundler Bundler | =1.10.0-rc | |
| Bundler Bundler | =1.10.1 | |
| Bundler Bundler | =1.10.2 | |
| Bundler Bundler | =1.10.3 | |
| Bundler Bundler | =1.10.4 | |
| Bundler Bundler | =1.10.5 | |
| Bundler Bundler | =1.10.6 | |
| Bundler Bundler | =1.11.0 | |
| Bundler Bundler | =1.11.0-pre1 | |
| Bundler Bundler | =1.11.0-pre2 | |
| Bundler Bundler | =1.11.1 | |
| Bundler Bundler | =1.11.2 | |
| Bundler Bundler | =1.12.0 | |
| Bundler Bundler | =1.12.0-pre1 | |
| Bundler Bundler | =1.12.0-pre2 | |
| Bundler Bundler | =1.12.0-rc | |
| Bundler Bundler | =1.12.0-rc2 | |
| Bundler Bundler | =1.12.0-rc3 | |
| Bundler Bundler | =1.12.0-rc4 | |
| Bundler Bundler | =1.12.1 | |
| Bundler Bundler | =1.12.2 | |
| Bundler Bundler | =1.12.3 | |
| Bundler Bundler | =1.12.4 | |
| Bundler Bundler | =1.12.5 | |
| Bundler Bundler | =1.12.6 | |
| Bundler Bundler | =1.13.0 | |
| Bundler Bundler | =1.13.0-pre1 | |
| Bundler Bundler | =1.13.0-rc1 | |
| Bundler Bundler | =1.13.0-rc2 | |
| Bundler Bundler | =1.13.1 | |
| Bundler Bundler | =1.13.2 | |
| Bundler Bundler | =1.13.3 | |
| Bundler Bundler | =1.13.4 | |
| Bundler Bundler | =1.13.5 | |
| Bundler Bundler | =1.13.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://seclists.org/oss-sec/2016/q4/18
- http://seclists.org/oss-sec/2016/q4/20
- http://seclists.org/oss-sec/2016/q4/25
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1381952
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1381953
- https://collectiveidea.com/blog/archives/2016/10/06/bundlers-multiple-source-security-vulnerability
- https://github.com/bundler/bundler/issues/5051
- https://github.com/bundler/bundler/issues/5274
- https://access.redhat.com/security/updates/classification/
- https://bugzilla.redhat.com/show_bug.cgi?id=1381951
- http://collectiveidea.com/blog/archives/2016/10/06/bundlers-multiple-source-security-vulnerability/
- http://www.openwall.com/lists/oss-security/2016/10/04/5
- http://www.openwall.com/lists/oss-security/2016/10/04/7
- http://www.openwall.com/lists/oss-security/2016/10/05/3
- http://www.securityfocus.com/bid/93423
- https://github.com/bundler/bundler/issues/5062
- collector/nvd-index
- agent/references
- agent/type
- agent/remedy
- agent/first-publish-date
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2016-7954
- agent/severity
- agent/author
- agent/last-modified-date
- agent/weakness
- agent/tags
- agent/description
- agent/event
- agent/trending
- vendor/bundler
- canonical/bundler bundler
- version/bundler bundler/1.0.0
- version/bundler bundler/1.0.0-beta1
- version/bundler bundler/1.0.0-beta10
- version/bundler bundler/1.0.0-beta6
- version/bundler bundler/1.0.0-beta7
- version/bundler bundler/1.0.0-beta8
- version/bundler bundler/1.0.0-beta9
- version/bundler bundler/1.0.0-rc1
- version/bundler bundler/1.0.0-rc2
- version/bundler bundler/1.0.0-rc3
- version/bundler bundler/1.0.0-rc4
- version/bundler bundler/1.0.0-rc5
- version/bundler bundler/1.0.0-rc6
- version/bundler bundler/1.0.1
- version/bundler bundler/1.0.2
- version/bundler bundler/1.0.3
- version/bundler bundler/1.0.4
- version/bundler bundler/1.0.5
- version/bundler bundler/1.0.6
- version/bundler bundler/1.0.7
- version/bundler bundler/1.0.8
- version/bundler bundler/1.0.9
- version/bundler bundler/1.0.10
- version/bundler bundler/1.0.11
- version/bundler bundler/1.0.12
- version/bundler bundler/1.0.13
- version/bundler bundler/1.0.14
- version/bundler bundler/1.0.15
- version/bundler bundler/1.0.16
- version/bundler bundler/1.0.17
- version/bundler bundler/1.0.18
- version/bundler bundler/1.0.19-rc
- version/bundler bundler/1.0.20
- version/bundler bundler/1.0.20-rc
- version/bundler bundler/1.0.21
- version/bundler bundler/1.0.21-rc
- version/bundler bundler/1.1-pre
- version/bundler bundler/1.1-pre1
- version/bundler bundler/1.1-pre10
- version/bundler bundler/1.1-pre2
- version/bundler bundler/1.1-pre3
- version/bundler bundler/1.1-pre4
- version/bundler bundler/1.1-pre5
- version/bundler bundler/1.1-pre6
- version/bundler bundler/1.1-pre7
- version/bundler bundler/1.1-pre8
- version/bundler bundler/1.1-pre9
- version/bundler bundler/1.1-rc
- version/bundler bundler/1.1-rc2
- version/bundler bundler/1.1-rc3
- version/bundler bundler/1.1-rc4
- version/bundler bundler/1.1-rc5
- version/bundler bundler/1.1-rc6
- version/bundler bundler/1.1-rc7
- version/bundler bundler/1.1-rc8
- version/bundler bundler/1.1.0
- version/bundler bundler/1.1.1
- version/bundler bundler/1.1.2
- version/bundler bundler/1.1.3
- version/bundler bundler/1.1.4
- version/bundler bundler/1.1.5
- version/bundler bundler/1.2.0
- version/bundler bundler/1.2.0-pre
- version/bundler bundler/1.2.0-pre1
- version/bundler bundler/1.2.0-rc
- version/bundler bundler/1.2.0-rc2
- version/bundler bundler/1.2.1
- version/bundler bundler/1.2.2
- version/bundler bundler/1.2.3
- version/bundler bundler/1.2.4
- version/bundler bundler/1.2.5
- version/bundler bundler/1.3.0
- version/bundler bundler/1.3.0-pre
- version/bundler bundler/1.3.0-pre2
- version/bundler bundler/1.3.0-pre3
- version/bundler bundler/1.3.0-pre4
- version/bundler bundler/1.3.0-pre5
- version/bundler bundler/1.3.0-pre6
- version/bundler bundler/1.3.0-pre7
- version/bundler bundler/1.3.0-pre8
- version/bundler bundler/1.3.1
- version/bundler bundler/1.3.2
- version/bundler bundler/1.3.3
- version/bundler bundler/1.3.4
- version/bundler bundler/1.3.5
- version/bundler bundler/1.3.6
- version/bundler bundler/1.4.0-pre1
- version/bundler bundler/1.4.0-rc1
- version/bundler bundler/1.5.0
- version/bundler bundler/1.5.0-rc1
- version/bundler bundler/1.5.0-rc2
- version/bundler bundler/1.5.1
- version/bundler bundler/1.5.2
- version/bundler bundler/1.5.3
- version/bundler bundler/1.6.0
- version/bundler bundler/1.6.1
- version/bundler bundler/1.6.2
- version/bundler bundler/1.6.3
- version/bundler bundler/1.6.4
- version/bundler bundler/1.6.5
- version/bundler bundler/1.6.6
- version/bundler bundler/1.6.7
- version/bundler bundler/1.7.0
- version/bundler bundler/1.7.1
- version/bundler bundler/1.7.2
- version/bundler bundler/1.7.3
- version/bundler bundler/1.7.4
- version/bundler bundler/1.7.5
- version/bundler bundler/1.7.6
- version/bundler bundler/1.7.7
- version/bundler bundler/1.7.8
- version/bundler bundler/1.7.9
- version/bundler bundler/1.7.10
- version/bundler bundler/1.7.11
- version/bundler bundler/1.7.12
- version/bundler bundler/1.7.13
- version/bundler bundler/1.7.14
- version/bundler bundler/1.7.15
- version/bundler bundler/1.8.0
- version/bundler bundler/1.8.0-pre
- version/bundler bundler/1.8.0-rc
- version/bundler bundler/1.8.1
- version/bundler bundler/1.8.2
- version/bundler bundler/1.8.3
- version/bundler bundler/1.8.4
- version/bundler bundler/1.8.5
- version/bundler bundler/1.8.6
- version/bundler bundler/1.8.7
- version/bundler bundler/1.8.8
- version/bundler bundler/1.8.9
- version/bundler bundler/1.9.0
- version/bundler bundler/1.9.0-pre
- version/bundler bundler/1.9.0-pre1
- version/bundler bundler/1.9.0-rc
- version/bundler bundler/1.9.1
- version/bundler bundler/1.9.2
- version/bundler bundler/1.9.3
- version/bundler bundler/1.9.4
- version/bundler bundler/1.9.5
- version/bundler bundler/1.9.6
- version/bundler bundler/1.9.7
- version/bundler bundler/1.9.8
- version/bundler bundler/1.9.9
- version/bundler bundler/1.9.10
- version/bundler bundler/1.10.0
- version/bundler bundler/1.10.0-pre
- version/bundler bundler/1.10.0-pre1
- version/bundler bundler/1.10.0-pre2
- version/bundler bundler/1.10.0-rc
- version/bundler bundler/1.10.1
- version/bundler bundler/1.10.2
- version/bundler bundler/1.10.3
- version/bundler bundler/1.10.4
- version/bundler bundler/1.10.5
- version/bundler bundler/1.10.6
- version/bundler bundler/1.11.0
- version/bundler bundler/1.11.0-pre1
- version/bundler bundler/1.11.0-pre2
- version/bundler bundler/1.11.1
- version/bundler bundler/1.11.2
- version/bundler bundler/1.12.0
- version/bundler bundler/1.12.0-pre1
- version/bundler bundler/1.12.0-pre2
- version/bundler bundler/1.12.0-rc
- version/bundler bundler/1.12.0-rc2
- version/bundler bundler/1.12.0-rc3
- version/bundler bundler/1.12.0-rc4
- version/bundler bundler/1.12.1
- version/bundler bundler/1.12.2
- version/bundler bundler/1.12.3
- version/bundler bundler/1.12.4
- version/bundler bundler/1.12.5
- version/bundler bundler/1.12.6
- version/bundler bundler/1.13.0
- version/bundler bundler/1.13.0-pre1
- version/bundler bundler/1.13.0-rc1
- version/bundler bundler/1.13.0-rc2
- version/bundler bundler/1.13.1
- version/bundler bundler/1.13.2
- version/bundler bundler/1.13.3
- version/bundler bundler/1.13.4
- version/bundler bundler/1.13.5
- version/bundler bundler/1.13.6