VYPR

Bundler

by Bundler

gem: bundler

Source repositories

CVEs (3)

  • CVE-2016-7954CriDec 22, 2016
    risk 0.64cvss 9.8epss 0.08

    Bundler 1.x might allow remote attackers to inject arbitrary Ruby code into an application by leveraging a gem name collision on a secondary source. NOTE: this might overlap CVE-2013-0334.

  • CVE-2019-3881Sep 4, 2020
    risk 0.00cvss epss 0.01

    Bundler prior to 2.1.0 uses a predictable path in /tmp/, created with insecure permissions as a storage location for gems, if locations under the user's home directory are not available. If Bundler is used in a scenario where the user does not have a writable home directory, an…

  • CVE-2013-0334Oct 31, 2014
    risk 0.00cvss epss 0.04

    Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.