Moderate severityNVD Advisory· Published Oct 31, 2014· Updated May 6, 2026
CVE-2013-0334
CVE-2013-0334
Description
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bundlerRubyGems | < 1.7.0 | 1.7.0 |
Affected products
6cpe:2.3:o:fedoraproject:fedora:19:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:o:fedoraproject:fedora:19:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.htmlnvdVendor AdvisoryWEB
- lists.fedoraproject.org/pipermail/package-announce/2014-October/140609.htmlnvdThird Party AdvisoryWEB
- lists.fedoraproject.org/pipermail/package-announce/2014-October/140654.htmlnvdThird Party AdvisoryWEB
- lists.fedoraproject.org/pipermail/package-announce/2014-October/140655.htmlnvdThird Party AdvisoryWEB
- lists.opensuse.org/opensuse-updates/2015-03/msg00092.htmlnvdThird Party AdvisoryWEB
- www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.htmlnvdThird Party AdvisoryWEB
- www.securityfocus.com/bid/70099nvdThird Party AdvisoryVDB Entry
- github.com/advisories/GHSA-49jx-9cmc-xjxmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2013-0334ghsaADVISORY
- security.gentoo.org/glsa/201609-02nvdThird Party AdvisoryWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/bundler/CVE-2013-0334.ymlghsaWEB
- web.archive.org/web/20210122060358/https://www.securityfocus.com/bid/70099ghsaWEB
News mentions
0No linked articles in our index yet.