RubySec

Providing security resources for the Ruby community

CVE-2016-7954 (bundler): Allows an attacker to inject arbitrary code into your application via any secondary Gem source declared in your Gemfile

ADVISORIES

GEM

bundler

SEVERITY

CVSS v3.x: 9.8 (Critical)

CVSS v2.0: 7.5 (High)

PATCHED VERSIONS

  • >= 2.0.0

DESCRIPTION

Bundler 1.x might allow remote attackers to inject arbitrary Ruby code into an application by leveraging a Gem name collision on a secondary source.

Please note that this vulnerability only applies for Ruby projects using Bundler < 2.0 with Gemfiles having 2 or more "source" lines.

In other words, if the user's Gemfile does not use multiple sources, this vulnerability can be ignored.

RELATED