critical
9.3
CWE
494
Advisory Published
CVE Published
Updated

CVE-2020-36327

First published: Tue Feb 09 2021(Updated: )

A flaw was found in the way Bundler determined the source repository when installing dependencies of source-restricted gem packages. In configurations that use multiple gem repositories and explicitly define from which source repository certain gems are to be installed, a dependency of a source-restricted gem could be installed form a different source if that repository provided higher version of the package. This could lead to installation of a malicious gem version and arbitrary code execution.

Credit: cve@mitre.org

Affected SoftwareAffected VersionHow to fix
redhat/rh-ruby27-ruby<0:2.7.4-130.el7
0:2.7.4-130.el7
redhat/rh-ruby30-ruby<0:3.0.2-148.el7
0:3.0.2-148.el7
redhat/rh-ruby26-ruby<0:2.6.9-120.el7
0:2.6.9-120.el7
redhat/rubygem-bundler<2.2.18
2.2.18
Bundler Bundler Ruby>=1.16.0<2.2.10
Bundler Bundler Ruby>=2.2.11<=2.2.16
Fedoraproject Fedora=34
Microsoft Package Manager Configurations

Remedy

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105

Remedy

This issue only affects configurations where gem packages are installed from multiple sources and the source repositories are explicitly defined for at least some gems. Dependencies of those source-restricted gems may be installed form a different repository, even if the same repository provides those dependencies, which is inconsistent with the intended behaviour described in the Bundler documentation. There are multiple possible approaches to mitigate this issue - customers should evaluate which approaches are usable in their environments. * Explicitly define source for all dependency gems in the Gemfile configuration. When a dependency of a source-restricted gem is also to be installed form the same source, list such dependency explicitly in the Gemfile along with the specific source. * Avoid configurations with multiple source repositories. When using a private repository for non-public gems, use the same private repository to mirror any content required from any public gem repository, such as RubyGems.org. When preparing such mirror, ensure that no mirrored gems have names conflicting with names of the internal non-public gems. * Reserve internal package names in public repositories. For any internal private gem, also reserve the name in any public gem repository used, such as RubyGems.org. This will prevent attackers from registering those names and providing their malicious gems with higher versions. Additional information about affected configurations can be found in the following Red Hat Knowledgebase article: https://access.redhat.com/articles/6206172

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203