Описание
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.
A flaw was found in the way Bundler handled gems available from multiple sources. An attacker with access to one of the sources could create a malicious gem with the same name, which they could then use to trick a user into installing, potentially resulting in execution of code from the attacker-supplied malicious gem.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| CloudForms Management Engine 5 | ruby193-rubygem-bundler | Will not fix | ||
| OpenShift Enterprise 1 | ruby193-rubygem-bundler | Will not fix | ||
| OpenShift Enterprise 1 | rubygem-bundler | Will not fix | ||
| OpenStack Foreman | rubygem-bundler | Will not fix | ||
| Red Hat OpenShift Enterprise 2 | rubygem-bundler | Will not fix | ||
| Red Hat OpenStack Platform 4 | ruby193-rubygem-bundler | Will not fix | ||
| Red Hat Software Collections | ror40-rubygem-bundler | Will not fix | ||
| Red Hat Software Collections | ruby193-rubygem-bundler | Will not fix | ||
| Red Hat Subscription Asset Manager | ruby193-rubygem-bundler | Will not fix | ||
| Red Hat Enterprise Linux 7 | rubygem-bundler | Fixed | RHSA-2015:2180 | 19.11.2015 |
Показывать по
Дополнительная информация
Статус:
EPSS
5.1 Medium
CVSS2
Связанные уязвимости
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.
Bundler before 1.7, when multiple top-level source lines are used, all ...
Bundler may install gems from a different source than expected
EPSS
5.1 Medium
CVSS2