VYPR
High severity7.8OSV Advisory· Published Sep 4, 2020· Updated Jun 17, 2026

CVE-2019-3881

CVE-2019-3881

Description

Bundler prior to 2.1.0 uses a predictable path in /tmp/, created with insecure permissions as a storage location for gems, if locations under the user's home directory are not available. If Bundler is used in a scenario where the user does not have a writable home directory, an attacker could place malicious code in this directory that would be later loaded and executed.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
bundlerRubyGems
>= 1.14.0, < 2.1.02.1.0

Affected products

16

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.