CVE-2020-36327

Опубликовано: 09 фев. 2021

Источник: redhat

CVSS3: 8.8

Описание

Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product.

A flaw was found in the way Bundler determined the source repository when installing dependencies of source-restricted gem packages. In configurations that use multiple gem repositories and explicitly define from which source repository certain gems are to be installed, a dependency of a source-restricted gem could be installed form a different source if that repository provided higher version of the package. This could lead to installation of a malicious gem version and arbitrary code execution.

Отчет

Red Hat Satellite does not ship RubyGem bundler, however, the product consumes it from the Red Hat Software Collections (RHSCL) repository.

Меры по смягчению последствий

This issue only affects configurations where gem packages are installed from multiple sources and the source repositories are explicitly defined for at least some gems. Dependencies of those source-restricted gems may be installed form a different repository, even if the same repository provides those dependencies, which is inconsistent with the intended behaviour described in the Bundler documentation. There are multiple possible approaches to mitigate this issue - customers should evaluate which approaches are usable in their environments.

Explicitly define source for all dependency gems in the Gemfile configuration. When a dependency of a source-restricted gem is also to be installed form the same source, list such dependency explicitly in the Gemfile along with the specific source.
Avoid configurations with multiple source repositories. When using a private repository for non-public gems, use the same private repository to mirror any content required from any public gem repository, such as RubyGems.org. When preparing such mirror, ensure that no mirrored gems have names conflicting with names of the internal non-public gems.
Reserve internal package names in public repositories. For any internal private gem, also reserve the name in any public gem repository used, such as RubyGems.org. This will prevent attackers from registering those names and providing their malicious gems with higher versions. Additional information about affected configurations can be found in the following Red Hat Knowledgebase article: https://access.redhat.com/articles/6206172

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
CloudForms Management Engine 5	rubygem-bundler	Will not fix
Logging Subsystem for Red Hat OpenShift	ruby	Affected
Red Hat 3scale API Management Platform 2	rubygem-bundler	Affected
Red Hat Enterprise Linux 7	rubygem-bundler	Not affected
Red Hat Enterprise Linux 9	ruby	Not affected
Red Hat Software Collections	rh-ruby25-rubygem-bundler	Will not fix
Red Hat Enterprise Linux 8	ruby	Fixed	RHSA-2021:3020	05.08.2021
Red Hat Enterprise Linux 8	ruby	Fixed	RHSA-2022:0543	16.02.2022
Red Hat Enterprise Linux 8	ruby	Fixed	RHSA-2022:0545	16.02.2022
Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions	ruby	Fixed	RHSA-2022:0548	16.02.2022

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important

Дефект:

CWE-494

https://bugzilla.redhat.com/show_bug.cgi?id=1958999rubygem-bundler: Dependencies of gems with explicit source may be installed from a different source

8.8 High

CVSS3