Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2013-0334
Vulnerability from gsd - Updated: 2014-08-13 00:00Details
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source. A flaw was found in the way Bundler handled gems available from multiple sources. An attacker with access to one of the sources could create a malicious gem with the same name, which they could then use to trick a user into installing, potentially resulting in execution of code from the attacker-supplied malicious gem.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-0334",
"description": "Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.",
"id": "GSD-2013-0334",
"references": [
"https://www.suse.com/security/cve/CVE-2013-0334.html",
"https://access.redhat.com/errata/RHSA-2015:2180",
"https://linux.oracle.com/cve/CVE-2013-0334.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "bundler",
"purl": "pkg:gem/bundler"
}
}
],
"aliases": [
"CVE-2013-0334",
"OSVDB-110004"
],
"details": "Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source. A flaw was found in the way Bundler handled gems available from multiple sources. An attacker with access to one of the sources could create a malicious gem with the same name, which they could then use to trick a user into installing, potentially resulting in execution of code from the attacker-supplied malicious gem.",
"id": "GSD-2013-0334",
"modified": "2014-08-13T00:00:00.000Z",
"published": "2014-08-13T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0334"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 5.0,
"type": "CVSS_V2"
}
],
"summary": "CVE-2013-0334 rubygem-bundler: \u0027bundle install\u0027 may install a gem from a source other than expected"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-0334",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "GLSA-201609-02",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201609-02"
},
{
"name": "FEDORA-2014-11649",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140609.html"
},
{
"name": "FEDORA-2014-11630",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140654.html"
},
{
"name": "http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html",
"refsource": "CONFIRM",
"url": "http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html"
},
{
"name": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"
},
{
"name": "FEDORA-2014-11677",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140655.html"
},
{
"name": "openSUSE-SU-2015:0628",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2015-03/msg00092.html"
},
{
"name": "70099",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/70099"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2013-0334",
"cvss_v2": 5.0,
"date": "2014-08-13",
"description": "Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source. A flaw was found in the way Bundler handled gems available from multiple sources. An attacker with access to one of the sources could create a malicious gem with the same name, which they could then use to trick a user into installing, potentially resulting in execution of code from the attacker-supplied malicious gem.",
"gem": "bundler",
"osvdb": 110004,
"patched_versions": [
"\u003e= 1.7.0"
],
"title": "CVE-2013-0334 rubygem-bundler: \u0027bundle install\u0027 may install a gem from a source other than expected",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0334"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c1.7.0",
"affected_versions": "All versions before 1.7.0",
"credit": "Andreas Loupasakis, Fotos Georgiadis\r\n",
"cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-20",
"CWE-937"
],
"date": "2019-07-16",
"description": "Any Gemfile with multiple top-level `source` lines cannot reliably control the gem server that a particular gem is fetched from. As a result, Bundler might install the wrong gem if more than one source provides a gem with the same name. This is especially possible in the case of Github\u0027s legacy gem server, hosted at gems.github.com. An attacker might create a malicious gem on Rubygems.org with the same name as a commonly-used Github gem. From that point forward, running `bundle install` might result in the malicious gem being used instead of the expected gem. ",
"fixed_versions": [
"1.7.0"
],
"identifier": "CVE-2013-0334",
"identifiers": [
"CVE-2013-0334"
],
"not_impacted": "All versions starting from 1.7.0",
"package_slug": "gem/bundler",
"pubdate": "2014-10-31",
"solution": "Upgrade to version 1.7.0 or above.",
"title": "Remote code execution",
"urls": [
"http://osvdb.org/show/osvdb/110004",
"https://groups.google.com/forum/#!topic/ruby-security-ann/Rms5sZhLxdo"
],
"uuid": "fcb7cb20-d8f5-446e-bcb1-6af25f40c432"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:bundler:bundler:*:*:*:*:*:ruby:*:*",
"cpe_name": [],
"versionEndExcluding": "1.7.0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:19:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-0334"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "FEDORA-2014-11630",
"refsource": "FEDORA",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140654.html"
},
{
"name": "FEDORA-2014-11677",
"refsource": "FEDORA",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140655.html"
},
{
"name": "FEDORA-2014-11649",
"refsource": "FEDORA",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140609.html"
},
{
"name": "http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html"
},
{
"name": "openSUSE-SU-2015:0628",
"refsource": "SUSE",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2015-03/msg00092.html"
},
{
"name": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"
},
{
"name": "70099",
"refsource": "BID",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/70099"
},
{
"name": "GLSA-201609-02",
"refsource": "GENTOO",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/201609-02"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2019-07-16T12:21Z",
"publishedDate": "2014-10-31T14:55Z"
}
}
}