CVE-2020-36327 - OpenCVE

Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:M/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Bundler	Bundler
Microsoft	Package Manager Configurations
Fedoraproject	Fedora

Configuration 1 [-]

OR	cpe:2.3:a:bundler:bundler::::::ruby::*
	cpe:2.3:a:bundler:bundler::::::ruby::*

Configuration 2 [-]

cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*

Configuration 3 [-]

cpe:2.3:a:microsoft:package_manager_configurations:-:*:*:*:*:*:*:*

References

Link	Resource
https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html	Vendor Advisory
https://github.com/rubygems/rubygems/issues/3982	Exploit Issue Tracking Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL/
https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things/	Third Party Advisory
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105	Patch Vendor Advisory
https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327/	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2021-04-29T02:28:54

Updated: 2021-07-29T02:06:19

Reserved: 2021-04-29T00:00:00

Link: CVE-2020-36327

JSON object: View

NVD Information

Status : Modified

Published: 2021-04-29T03:15:08.710

Modified: 2023-11-07T03:22:14.687

Link: CVE-2020-36327

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every \"Dependency Confusion\" issue in every product."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-07-29T02:06:19", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/rubygems/rubygems/issues/3982"}, {"tags": ["x_refsource_MISC"], "url": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105"}, {"tags": ["x_refsource_MISC"], "url": "https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html"}, {"tags": ["x_refsource_MISC"], "url": "https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327/"}, {"name": "FEDORA-2021-36cdab1f8d", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-36327", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every \"Dependency Confusion\" issue in every product."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/rubygems/rubygems/issues/3982", "refsource": "MISC", "url": "https://github.com/rubygems/rubygems/issues/3982"}, {"name": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105", "refsource": "MISC", "url": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105"}, {"name": "https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html", "refsource": "MISC", "url": "https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html"}, {"name": "https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things/", "refsource": "MISC", "url": "https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things/"}, {"name": "https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327/", "refsource": "MISC", "url": "https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327/"}, {"name": "FEDORA-2021-36cdab1f8d", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL/"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-36327", "datePublished": "2021-04-29T02:28:54", "dateReserved": "2021-04-29T00:00:00", "dateUpdated": "2021-07-29T02:06:19", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bundler:bundler:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "B84C5D9C-16BD-4670-AF3E-5DCCB62276AB", "versionEndExcluding": "2.2.10", "versionStartIncluding": "1.16.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:bundler:bundler:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "01DEFBF9-648B-48E3-A88D-93A61FF8B965", "versionEndIncluding": "2.2.16", "versionStartIncluding": "2.2.11", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:package_manager_configurations:-:*:*:*:*:*:*:*", "matchCriteriaId": "71D274DE-99A4-4FC3-A43B-53A2D68A0E09", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every \"Dependency Confusion\" issue in every product."}, {"lang": "es", "value": "Bundler versiones 1.16.0 hasta 2.2.9 y versiones 2.2.11 hasta 2.2.16, a veces elige una fuente de dependencia basada en el n\u00famero de versi\u00f3n de una gema m\u00e1s alto, lo que significa que se puede elegir una gema falsa que se encuentre en una fuente p\u00fablica, incluso si la elecci\u00f3n deseada fue una gema privada que depende de otra gema privada de la que depende expl\u00edcitamente la aplicaci\u00f3n. NOTA: no es correcto usar CVE-2021-24105 para cada problema de \"Dependency Confusion\" en cada producto"}], "id": "CVE-2020-36327", "lastModified": "2023-11-07T03:22:14.687", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-04-29T03:15:08.710", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/rubygems/rubygems/issues/3982"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things/"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}