CVE-2020-36327

{"id": "CVE-2020-36327", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 9.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2021-04-29T03:15:08.710", "references": [{"url": "https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/rubygems/rubygems/issues/3982", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL/", "source": "cve@mitre.org"}, {"url": "https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/rubygems/rubygems/issues/3982", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things/", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105", "tags": ["Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327/", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every \"Dependency Confusion\" issue in every product."}, {"lang": "es", "value": "Bundler versiones 1.16.0 hasta 2.2.9 y versiones 2.2.11 hasta 2.2.16, a veces elige una fuente de dependencia basada en el n\u00famero de versi\u00f3n de una gema m\u00e1s alto, lo que significa que se puede elegir una gema falsa que se encuentre en una fuente p\u00fablica, incluso si la elecci\u00f3n deseada fue una gema privada que depende de otra gema privada de la que depende expl\u00edcitamente la aplicaci\u00f3n. NOTA: no es correcto usar CVE-2021-24105 para cada problema de \"Dependency Confusion\" en cada producto"}], "lastModified": "2024-11-21T05:29:17.540", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:bundler:bundler:*:*:*:*:*:ruby:*:*", "vulnerable": true, "matchCriteriaId": "B84C5D9C-16BD-4670-AF3E-5DCCB62276AB", "versionEndExcluding": "2.2.10", "versionStartIncluding": "1.16.0"}, {"criteria": "cpe:2.3:a:bundler:bundler:*:*:*:*:*:ruby:*:*", "vulnerable": true, "matchCriteriaId": "01DEFBF9-648B-48E3-A88D-93A61FF8B965", "versionEndIncluding": "2.2.16", "versionStartIncluding": "2.2.11"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:package_manager_configurations:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "71D274DE-99A4-4FC3-A43B-53A2D68A0E09"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}