Allows an attacker to inject arbitrary code into your application via any secondary Gem source declared in your Gemfile
Published: October 06, 2016
SECURITY IDENTIFIERS
- CVE: CVE-2016-7954 (NVD)
- GHSA: GHSA-jvgm-pfqv-887x
- Vendor Advisory: https://collectiveidea.com/blog/archives/2016/10/06/bundlers-multiple-source-security-vulnerability
GEM
SEVERITY
PATCHED VERSIONS
>= 2.0.0
DESCRIPTION
Bundler 1.x might allow remote attackers to inject arbitrary Ruby code into an application by leveraging a Gem name collision on a secondary source.
Please note that this vulnerability only applies for Ruby projects using Bundler < 2.0 with Gemfiles having 2 or more "source" lines.
In other words, if the user's Gemfile does not use multiple sources, this vulnerability can be ignored.
RELATED
- CVE-2013-0334 (NVD)
- https://nvd.nist.gov/vuln/detail/CVE-2016-7954
- https://collectiveidea.com/blog/archives/2016/10/06/bundlers-multiple-source-security-vulnerability
- https://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html
- https://github.com/advisories/GHSA-jvgm-pfqv-887x
- https://seclists.org/oss-sec/2016/q4/25
- https://seclists.org/oss-sec/2016/q4/18
- https://seclists.org/oss-sec/2016/q4/20
- https://github.com/rubygems/bundler/pull/3696
- https://github.com/rubygems/bundler/issues/3671
- https://github.com/rubygems/bundler/issues/5274
- https://github.com/rubygems/bundler/issues/5051
- https://github.com/rubygems/bundler/issues/5062