CVE-2016-7954

Опубликовано: 22 дек. 2016

Источник: nvd

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

Bundler 1.x might allow remote attackers to inject arbitrary Ruby code into an application by leveraging a gem name collision on a secondary source. NOTE: this might overlap CVE-2013-0334.

Ссылки

http://collectiveidea.com/blog/archives/2016/10/06/bundlers-multiple-source-security-vulnerability/
Exploit
Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/10/04/5
Mailing List
Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/10/04/7
Mailing List
Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/10/05/3
Mailing List
Third Party Advisory
http://www.securityfocus.com/bid/93423
Third Party Advisory
VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=1381951
Issue Tracking
https://github.com/bundler/bundler/issues/5051
Issue Tracking
Patch
Third Party Advisory
https://github.com/bundler/bundler/issues/5062
Issue Tracking
Patch
Third Party Advisory
http://collectiveidea.com/blog/archives/2016/10/06/bundlers-multiple-source-security-vulnerability/
Exploit
Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/10/04/5
Mailing List
Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/10/04/7
Mailing List
Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/10/05/3
Mailing List
Third Party Advisory
http://www.securityfocus.com/bid/93423
Third Party Advisory
VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=1381951
Issue Tracking
https://github.com/bundler/bundler/issues/5051
Issue Tracking
Patch
Third Party Advisory
https://github.com/bundler/bundler/issues/5062
Issue Tracking
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:bundler:bundler:1.0.0:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.0.0:beta1:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.0.0:beta10:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.0.0:beta6:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.0.0:beta7:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.0.0:beta8:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.0.0:beta9:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.0.0:rc1:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.0.0:rc2:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.0.0:rc3:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.0.0:rc4:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.0.0:rc5:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.0.0:rc6:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.0.1:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.0.2:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.0.3:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.0.4:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.0.5:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.0.6:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.0.7:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.0.8:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.0.9:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.0.10:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.0.11:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.0.12:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.0.13:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.0.14:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.0.15:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.0.16:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.0.17:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.0.18:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.0.19:rc:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.0.20:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.0.20:rc:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.0.21:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.0.21:rc:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.1:pre:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.1:pre1:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.1:pre10:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.1:pre2:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.1:pre3:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.1:pre4:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.1:pre5:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.1:pre6:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.1:pre7:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.1:pre8:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.1:pre9:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.1:rc:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.1:rc2:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.1:rc3:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.1:rc4:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.1:rc5:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.1:rc6:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.1:rc7:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.1:rc8:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.1.0:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.1.1:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.1.2:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.1.3:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.1.4:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.1.5:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.2.0:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.2.0:pre:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.2.0:pre1:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.2.0:rc:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.2.0:rc2:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.2.1:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.2.2:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.2.3:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.2.4:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.2.5:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.3.0:pre:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.3.0:pre2:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.3.0:pre3:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.3.0:pre4:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.3.0:pre5:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.3.0:pre6:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.3.0:pre7:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.3.0:pre8:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.3.1:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.3.2:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.3.3:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.3.4:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.3.5:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.3.6:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.4.0:pre1:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.4.0:rc1:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.5.0:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.5.0:rc1:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.5.0:rc2:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.5.1:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.5.2:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.5.3:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.6.0:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.6.1:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.6.2:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.6.3:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.6.4:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.6.5:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.6.6:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.6.7:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.7.0:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.7.1:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.7.2:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.7.3:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.7.4:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.7.5:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.7.6:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.7.7:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.7.8:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.7.9:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.7.10:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.7.11:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.7.12:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.7.13:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.7.14:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.7.15:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.8.0:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.8.0:pre:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.8.0:rc:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.8.1:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.8.2:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.8.3:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.8.4:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.8.5:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.8.6:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.8.7:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.8.8:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.8.9:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.9.0:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.9.0:pre:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.9.0:pre1:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.9.0:rc:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.9.1:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.9.2:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.9.3:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.9.4:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.9.5:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.9.6:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.9.7:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.9.8:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.9.9:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.9.10:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.10.0:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.10.0:pre:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.10.0:pre1:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.10.0:pre2:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.10.0:rc:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.10.1:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.10.2:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.10.3:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.10.4:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.10.5:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.10.6:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.11.0:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.11.0:pre1:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.11.0:pre2:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.11.1:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.11.2:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.12.0:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.12.0:pre1:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.12.0:pre2:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.12.0:rc:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.12.0:rc2:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.12.0:rc3:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.12.0:rc4:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.12.1:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.12.2:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.12.3:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.12.4:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.12.5:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.12.6:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.13.0:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.13.0:pre1:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.13.0:rc1:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.13.0:rc2:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.13.1:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.13.2:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.13.3:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.13.4:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.13.5:*:*:*:*:*:*:*

cpe:2.3:a:bundler:bundler:1.13.6:*:*:*:*:*:*:*

EPSS

Процентиль: 79%

0.01206

Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-94

Связанные уязвимости

CVE-2016-7954

CVSS3: 9.8

ubuntu

около 9 лет назад

Bundler 1.x might allow remote attackers to inject arbitrary Ruby code into an application by leveraging a gem name collision on a secondary source. NOTE: this might overlap CVE-2013-0334.

CVE-2016-7954

CVSS3: 4.9

redhat

больше 9 лет назад

Bundler 1.x might allow remote attackers to inject arbitrary Ruby code into an application by leveraging a gem name collision on a secondary source. NOTE: this might overlap CVE-2013-0334.

CVE-2016-7954

CVSS3: 9.8

debian

около 9 лет назад

Bundler 1.x might allow remote attackers to inject arbitrary Ruby code ...

GHSA-jvgm-pfqv-887x

CVSS3: 9.8

github

больше 3 лет назад

Bundler allows attacker to inject arbitrary code via secondary Gem source

BDU:2021-01399

CVSS3: 9.8

fstec

больше 9 лет назад

Уязвимость компонента Gem Name Handler менеджера для управления зависимостями gem в ruby приложениях Bundler, связанная с недостатком механизма управления генерацией кода, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании

EPSS

Процентиль: 79%

0.01206

Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-94