High severity7.8OSV Advisory· Published Sep 4, 2020· Updated Jun 17, 2026
CVE-2019-3881
CVE-2019-3881
Description
Bundler prior to 2.1.0 uses a predictable path in /tmp/, created with insecure permissions as a storage location for gems, if locations under the user's home directory are not available. If Bundler is used in a scenario where the user does not have a writable home directory, an attacker could place malicious code in this directory that would be later loaded and executed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bundlerRubyGems | >= 1.14.0, < 2.1.0 | 2.1.0 |
Affected products
16- ghsa-coords15 versionspkg:gem/bundlerpkg:rpm/almalinux/rubygem-abrtpkg:rpm/almalinux/rubygem-abrt-docpkg:rpm/almalinux/rubygem-bsonpkg:rpm/almalinux/rubygem-bson-docpkg:rpm/almalinux/rubygem-mongopkg:rpm/almalinux/rubygem-mongo-docpkg:rpm/almalinux/rubygem-mysql2pkg:rpm/almalinux/rubygem-mysql2-docpkg:rpm/almalinux/rubygem-pgpkg:rpm/almalinux/rubygem-pg-docpkg:rpm/opensuse/rubygem-bundler&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/rubygem-bundler&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/rubygem-bundler&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP1pkg:rpm/suse/rubygem-bundler&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP2
>= 1.14.0, < 2.1.0+ 14 more
- (no CPE)range: >= 1.14.0, < 2.1.0
- (no CPE)range: < 0.3.0-4.module_el8.5.0+259+8cec6917
- (no CPE)range: < 0.3.0-4.module_el8.5.0+259+8cec6917
- (no CPE)range: < 4.5.0-1.module_el8.5.0+2623+08a8ba32
- (no CPE)range: < 4.5.0-1.module_el8.5.0+250+ba22dbf7
- (no CPE)range: < 2.8.0-1.module_el8.5.0+250+ba22dbf7
- (no CPE)range: < 2.8.0-1.module_el8.5.0+250+ba22dbf7
- (no CPE)range: < 0.5.2-1.module_el8.5.0+250+ba22dbf7
- (no CPE)range: < 0.5.2-1.module_el8.5.0+250+ba22dbf7
- (no CPE)range: < 1.1.4-1.module_el8.5.0+250+ba22dbf7
- (no CPE)range: < 1.1.4-1.module_el8.5.0+2623+08a8ba32
- (no CPE)range: < 1.16.1-lp151.3.3.1
- (no CPE)range: < 1.16.1-lp152.4.3.1
- (no CPE)range: < 1.16.1-3.3.1
- (no CPE)range: < 1.16.1-3.3.1
Patches
Vulnerability mechanics
References
6- bugzilla.redhat.com/show_bug.cginvdIssue TrackingPatchThird Party AdvisoryWEB
- github.com/advisories/GHSA-g98m-96g9-wfjqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-3881ghsaADVISORY
- github.com/rubygems/bundler/issues/6501ghsaWEB
- github.com/rubygems/bundler/pull/7416/commits/65cfebb041c454c246aaf32a177b0243915a9998ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/bundler/CVE-2019-3881.ymlghsaWEB
News mentions
0No linked articles in our index yet.