Описание
Bundler 1.x might allow remote attackers to inject arbitrary Ruby code into an application by leveraging a gem name collision on a secondary source. NOTE: this might overlap CVE-2013-0334.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| bundler | fixed | 2.1.4-1 | package | |
| bundler | ignored | buster | package | |
| bundler | ignored | stretch | package | |
| bundler | ignored | jessie | package | |
| bundler | no-dsa | wheezy | package |
Примечания
https://www.openwall.com/lists/oss-security/2016/10/04/5
There is no plan from upstream to address this for bundler 1.x
due to lockfile format.
Связанные уязвимости
Bundler 1.x might allow remote attackers to inject arbitrary Ruby code into an application by leveraging a gem name collision on a secondary source. NOTE: this might overlap CVE-2013-0334.
Bundler 1.x might allow remote attackers to inject arbitrary Ruby code into an application by leveraging a gem name collision on a secondary source. NOTE: this might overlap CVE-2013-0334.
Bundler 1.x might allow remote attackers to inject arbitrary Ruby code into an application by leveraging a gem name collision on a secondary source. NOTE: this might overlap CVE-2013-0334.
Bundler allows attacker to inject arbitrary code via secondary Gem source
Уязвимость компонента Gem Name Handler менеджера для управления зависимостями gem в ruby приложениях Bundler, связанная с недостатком механизма управления генерацией кода, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании