Arbitrary Code Execution Affecting bundler package, versions < 1.7.0
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RUBY-BUNDLER-20189
- published12 Aug 2014
- disclosed12 Aug 2014
- creditAndreas Loupasakis, Fotos Georgiadis
Introduced: 12 Aug 2014
CVE-2013-0334 (opens in a new tab)Overview
bundler is a dependencies manager.
Affected versions of this Gem contain a flaw that is triggered when handling a Gemfile that contains multiple top-level source lines. This may allow a gem to be installed from an unintended source server, allowing an attacker to install specially crafted gems, leading to arbitrary code execution.
Details
Any Gemfile with multiple top-level source lines cannot reliably control the gem server that a particular gem is fetched from. As a result, Bundler might install the wrong gem if more than one source provides a gem with the same name. An attacker might create a malicious gem on Rubygems.org with the same name as a commonly-used GitHub gem. From that point forward, running bundle install might result in the malicious gem being used instead of the expected one.
It is possible to work around the issue by removing all but one source line from the Gemfile. Gems from other sources must be installed via the :git option, which is not susceptible to this issue, or unpacked into the application repository and used via the :path option.
Unfortunately, backporting a fix for this issue proved impractical, as previous versions of Bundler lacked the ability to distinguish between gem servers.