High severityNVD Advisory· Published Apr 29, 2021· Updated Aug 4, 2024
CVE-2020-36327
CVE-2020-36327
Description
Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bundlerRubyGems | >= 1.16.0, < 2.2.10 | 2.2.10 |
bundlerRubyGems | >= 2.2.11, < 2.2.18 | 2.2.18 |
Affected products
53- Bundler/Bundlerdescription
- ghsa-coords52 versionspkg:gem/bundlerpkg:rpm/almalinux/rubypkg:rpm/almalinux/ruby-default-gemspkg:rpm/almalinux/ruby-develpkg:rpm/almalinux/ruby-docpkg:rpm/almalinux/rubygem-abrtpkg:rpm/almalinux/rubygem-abrt-docpkg:rpm/almalinux/rubygem-bigdecimalpkg:rpm/almalinux/rubygem-bsonpkg:rpm/almalinux/rubygem-bson-docpkg:rpm/almalinux/rubygem-bundlerpkg:rpm/almalinux/rubygem-bundler-docpkg:rpm/almalinux/rubygem-did_you_meanpkg:rpm/almalinux/rubygem-io-consolepkg:rpm/almalinux/rubygem-irbpkg:rpm/almalinux/rubygem-jsonpkg:rpm/almalinux/rubygem-minitestpkg:rpm/almalinux/rubygem-mongopkg:rpm/almalinux/rubygem-mongo-docpkg:rpm/almalinux/rubygem-mysql2pkg:rpm/almalinux/rubygem-mysql2-docpkg:rpm/almalinux/rubygem-net-telnetpkg:rpm/almalinux/rubygem-opensslpkg:rpm/almalinux/rubygem-pgpkg:rpm/almalinux/rubygem-pg-docpkg:rpm/almalinux/rubygem-power_assertpkg:rpm/almalinux/rubygem-psychpkg:rpm/almalinux/rubygem-rakepkg:rpm/almalinux/rubygem-rdocpkg:rpm/almalinux/rubygemspkg:rpm/almalinux/rubygems-develpkg:rpm/almalinux/rubygem-test-unitpkg:rpm/almalinux/rubygem-xmlrpcpkg:rpm/almalinux/ruby-irbpkg:rpm/almalinux/ruby-libspkg:rpm/opensuse/rubygem-bundler&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/rubygem-bundler&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/rubygem-bundler&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/rubygem-bundler&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/rubygem-bundler&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/rubygem-bundler&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/rubygem-bundler&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/rubygem-bundler&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6pkg:rpm/suse/rubygem-bundler&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP7pkg:rpm/suse/rubygem-bundler&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/rubygem-bundler&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/rubygem-bundler&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/rubygem-bundler&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/rubygem-bundler&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/rubygem-bundler&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/rubygem-bundler&distro=SUSE%20Manager%20Proxy%204.3pkg:rpm/suse/rubygem-bundler&distro=SUSE%20Manager%20Server%204.3
>= 1.16.0, < 2.2.10+ 51 more
- (no CPE)range: >= 1.16.0, < 2.2.10
- (no CPE)range: < 2.7.4-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 2.7.4-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 2.7.4-137.module_el8.5.0+117+35d1289b
- (no CPE)range: < 2.7.4-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 0.4.0-1.module_el8.4.0+2399+4e3a532a
- (no CPE)range: < 0.4.0-1.module_el8.5.0+118+1ab773e1
- (no CPE)range: < 2.0.0-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 4.8.1-1.module_el8.5.0+117+35d1289b
- (no CPE)range: < 4.8.1-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 2.2.24-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 1.16.1-4.module_el8.5.0+259+8cec6917
- (no CPE)range: < 1.3.0-108.module_el8.5.0+2623+08a8ba32
- (no CPE)range: < 0.5.6-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 1.2.6-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 2.3.0-137.module_el8.5.0+117+35d1289b
- (no CPE)range: < 5.13.0-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 2.11.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 2.11.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 0.5.3-1.module_el8.4.0+2399+4e3a532a
- (no CPE)range: < 0.5.3-1.module_el8.5.0+118+1ab773e1
- (no CPE)range: < 0.2.0-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 2.1.2-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 1.2.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 1.2.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 1.1.7-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 3.1.0-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 13.0.1-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 6.2.1.1-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 3.1.6-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 3.1.6-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 3.3.4-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 0.3.0-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 2.5.9-107.module_el8.5.0+2625+ec418553
- (no CPE)range: < 2.7.4-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 2.2.34-150000.3.11.1
- (no CPE)range: < 2.2.34-150000.3.11.1
- (no CPE)range: < 2.2.34-150000.3.11.1
- (no CPE)range: < 2.2.34-150000.3.11.1
- (no CPE)range: < 2.2.34-150000.3.11.1
- (no CPE)range: < 2.2.34-150000.3.11.1
- (no CPE)range: < 2.2.34-150000.3.11.1
- (no CPE)range: < 2.2.34-150000.3.11.1
- (no CPE)range: < 2.2.34-150700.21.3.1
- (no CPE)range: < 2.2.34-150000.3.11.1
- (no CPE)range: < 2.2.34-150000.3.11.1
- (no CPE)range: < 2.2.34-150000.3.11.1
- (no CPE)range: < 2.2.34-150000.3.11.1
- (no CPE)range: < 2.2.34-150000.3.11.1
- (no CPE)range: < 2.2.34-150000.3.11.1
- (no CPE)range: < 2.2.34-150000.3.11.1
- (no CPE)range: < 2.2.34-150000.3.11.1
Patches
Vulnerability mechanics
References
15- github.com/advisories/GHSA-fp4w-jxhp-m23pghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2020-36327ghsaADVISORY
- bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.htmlghsax_refsource_MISCWEB
- github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.mdghsaWEB
- github.com/rubygems/rubygems/commit/078bf682ac40017b309b5fc69f283ff640e7c129ghsaWEB
- github.com/rubygems/rubygems/issues/3982ghsax_refsource_MISCWEB
- github.com/rubygems/rubygems/pull/4609ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/bundler/CVE-2020-36327.ymlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSLghsaWEB
- mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-thingsghsaWEB
- mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things/mitrex_refsource_MISC
- msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105ghsax_refsource_MISCWEB
- www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327ghsaWEB
- www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.