Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2013-0334 (GCVE-0-2013-0334)
Vulnerability from cvelistv5 – Published: 2014-10-31 14:00 – Updated: 2024-08-06 14:25
VLAI?
EPSS
Summary
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Date Public ?
2014-08-14 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T14:25:09.692Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "GLSA-201609-02",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201609-02"
},
{
"name": "FEDORA-2014-11649",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140609.html"
},
{
"name": "FEDORA-2014-11630",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140654.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"
},
{
"name": "FEDORA-2014-11677",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140655.html"
},
{
"name": "openSUSE-SU-2015:0628",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2015-03/msg00092.html"
},
{
"name": "70099",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/70099"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-08-14T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-06-30T16:57:01.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "GLSA-201609-02",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201609-02"
},
{
"name": "FEDORA-2014-11649",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140609.html"
},
{
"name": "FEDORA-2014-11630",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140654.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"
},
{
"name": "FEDORA-2014-11677",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140655.html"
},
{
"name": "openSUSE-SU-2015:0628",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2015-03/msg00092.html"
},
{
"name": "70099",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/70099"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-0334",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "GLSA-201609-02",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201609-02"
},
{
"name": "FEDORA-2014-11649",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140609.html"
},
{
"name": "FEDORA-2014-11630",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140654.html"
},
{
"name": "http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html",
"refsource": "CONFIRM",
"url": "http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html"
},
{
"name": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"
},
{
"name": "FEDORA-2014-11677",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140655.html"
},
{
"name": "openSUSE-SU-2015:0628",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2015-03/msg00092.html"
},
{
"name": "70099",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/70099"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-0334",
"datePublished": "2014-10-31T14:00:00.000Z",
"dateReserved": "2012-12-06T00:00:00.000Z",
"dateUpdated": "2024-08-06T14:25:09.692Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2013-0334",
"date": "2026-04-14",
"epss": "0.00498",
"percentile": "0.6588"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:bundler:bundler:*:*:*:*:*:ruby:*:*\", \"versionEndExcluding\": \"1.7.0\", \"matchCriteriaId\": \"595843BB-8C46-462F-8494-F72A0328981A\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A10BC294-9196-425F-9FB0-B1625465B47F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"03117DF1-3BEC-4B8D-AD63-DBBDB2126081\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:19:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5991814D-CA77-4C25-90D2-DB542B17E0AD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"FF47C9F0-D8DA-4B55-89EB-9B2C9383ADB9\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"56BDB5A0-0839-4A20-A003-B8CD56F48171\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.\"}, {\"lang\": \"es\", \"value\": \"Bundler anterior a 1.7, cuando m\\u00faltiples l\\u00edneas de fuentes del m\\u00e1ximo nivel est\\u00e1n utilizadas, permite a atacantes remotos instalar gemas arbitrarias con el mismo nombre como otra gema en una fuente diferente.\"}]",
"id": "CVE-2013-0334",
"lastModified": "2024-11-21T01:47:19.717",
"metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:N/I:P/A:N\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2014-10-31T14:55:02.687",
"references": "[{\"url\": \"http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140609.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140654.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140655.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-updates/2015-03/msg00092.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/70099\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://security.gentoo.org/glsa/201609-02\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140609.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140654.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140655.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-updates/2015-03/msg00092.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/70099\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://security.gentoo.org/glsa/201609-02\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-20\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2013-0334\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2014-10-31T14:55:02.687\",\"lastModified\":\"2025-04-12T10:46:40.837\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.\"},{\"lang\":\"es\",\"value\":\"Bundler anterior a 1.7, cuando m\u00faltiples l\u00edneas de fuentes del m\u00e1ximo nivel est\u00e1n utilizadas, permite a atacantes remotos instalar gemas arbitrarias con el mismo nombre como otra gema en una fuente diferente.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:P/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:bundler:bundler:*:*:*:*:*:ruby:*:*\",\"versionEndExcluding\":\"1.7.0\",\"matchCriteriaId\":\"595843BB-8C46-462F-8494-F72A0328981A\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A10BC294-9196-425F-9FB0-B1625465B47F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"03117DF1-3BEC-4B8D-AD63-DBBDB2126081\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:19:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5991814D-CA77-4C25-90D2-DB542B17E0AD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FF47C9F0-D8DA-4B55-89EB-9B2C9383ADB9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"56BDB5A0-0839-4A20-A003-B8CD56F48171\"}]}]}],\"references\":[{\"url\":\"http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140609.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140654.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140655.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-updates/2015-03/msg00092.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/70099\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://security.gentoo.org/glsa/201609-02\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140609.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140654.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140655.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-updates/2015-03/msg00092.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/70099\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://security.gentoo.org/glsa/201609-02\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
}
}
SUSE-SU-2015:0795-1
Vulnerability from csaf_suse - Published: 2015-03-11 16:15 - Updated: 2015-03-11 16:15Summary
Security update for rubygem-bundler
Severity
Moderate
Notes
Title of the patch: Security update for rubygem-bundler
Description of the patch:
The Rubygem Bundler was updated to version 1.7.0.
Bundler 1.7 is a security-only release to address CVE-2013-0334, a
vulnerability where a gem might be installed from an unintended source
server, particularly while using both rubygems.org and gems.github.com.
Upstream changes entry with more explanations:
Any Gemfile with multiple top-level source lines cannot reliably control
the gem server that a particular gem is fetched from. As a result, Bundler
might install the wrong gem if more than one source provides a gem with the
same name.
This is especially possible in the case of Github's legacy gem server,
hosted at gems.github.com. An attacker might create a malicious gem on
Rubygems.org with the same name as a commonly-used Github gem. From that
point forward, running bundle install might result in the malicious gem
being used instead of the expected gem.
To mitigate this, the Bundler and Rubygems.org teams worked together to
copy almost every gem hosted on gems.github.com to rubygems.org, reducing
the number of gems that can be used for such an attack.
Resolution:
To resolve this issue, upgrade to Bundler 1.7 by running gem install
bundler. The next time you run bundle install for any Gemfile that contains
multiple sources, each gem available from multiple sources will print a
warning.
For every warning printed, edit the Gemfile to either specify a :source
option for that gem, or move the gem line into a block that is passed to a
source method call.
For detailed information about the changes to how sources are handled in
Bundler version 1.7, see the release announcement.
Security Issues:
* CVE-2013-0334
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0334>
Patchnames: sdksp3-rubygem-bundler,sleclo40sp3-rubygem-bundler,slehasp3-rubygem-bundler,sleslms13-rubygem-bundler,slestso13-rubygem-bundler,slestso13-rubygem-bundler19,slewyst13-rubygem-bundler
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for rubygem-bundler",
"title": "Title of the patch"
},
{
"category": "description",
"text": "\nThe Rubygem Bundler was updated to version 1.7.0.\n\nBundler 1.7 is a security-only release to address CVE-2013-0334, a \nvulnerability where a gem might be installed from an unintended source \nserver, particularly while using both rubygems.org and gems.github.com.\n\nUpstream changes entry with more explanations:\n\nAny Gemfile with multiple top-level source lines cannot reliably control \nthe gem server that a particular gem is fetched from. As a result, Bundler \nmight install the wrong gem if more than one source provides a gem with the \nsame name.\n\nThis is especially possible in the case of Github\u0027s legacy gem server, \nhosted at gems.github.com. An attacker might create a malicious gem on \nRubygems.org with the same name as a commonly-used Github gem. From that \npoint forward, running bundle install might result in the malicious gem \nbeing used instead of the expected gem.\n\nTo mitigate this, the Bundler and Rubygems.org teams worked together to \ncopy almost every gem hosted on gems.github.com to rubygems.org, reducing \nthe number of gems that can be used for such an attack.\n\nResolution:\n\nTo resolve this issue, upgrade to Bundler 1.7 by running gem install \nbundler. The next time you run bundle install for any Gemfile that contains \nmultiple sources, each gem available from multiple sources will print a \nwarning.\n\nFor every warning printed, edit the Gemfile to either specify a :source \noption for that gem, or move the gem line into a block that is passed to a \nsource method call.\n\nFor detailed information about the changes to how sources are handled in \nBundler version 1.7, see the release announcement.\n\nSecurity Issues:\n\n * CVE-2013-0334\n \u003chttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0334\u003e\n\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "sdksp3-rubygem-bundler,sleclo40sp3-rubygem-bundler,slehasp3-rubygem-bundler,sleslms13-rubygem-bundler,slestso13-rubygem-bundler,slestso13-rubygem-bundler19,slewyst13-rubygem-bundler",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2015_0795-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2015:0795-1",
"url": "https://www.suse.com/support/update/announcement/2015/suse-su-20150795-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2015:0795-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2015-April/001365.html"
},
{
"category": "self",
"summary": "SUSE Bug 898205",
"url": "https://bugzilla.suse.com/898205"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2013-0334 page",
"url": "https://www.suse.com/security/cve/CVE-2013-0334/"
}
],
"title": "Security update for rubygem-bundler",
"tracking": {
"current_release_date": "2015-03-11T16:15:22Z",
"generator": {
"date": "2015-03-11T16:15:22Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2015:0795-1",
"initial_release_date": "2015-03-11T16:15:22Z",
"revision_history": [
{
"date": "2015-03-11T16:15:22Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "rubygem-bundler-1.7.0-0.7.1.i586",
"product": {
"name": "rubygem-bundler-1.7.0-0.7.1.i586",
"product_id": "rubygem-bundler-1.7.0-0.7.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "rubygem-bundler-1.7.0-0.7.1.ia64",
"product": {
"name": "rubygem-bundler-1.7.0-0.7.1.ia64",
"product_id": "rubygem-bundler-1.7.0-0.7.1.ia64"
}
}
],
"category": "architecture",
"name": "ia64"
},
{
"branches": [
{
"category": "product_version",
"name": "rubygem-bundler-1.7.0-0.7.1.ppc64",
"product": {
"name": "rubygem-bundler-1.7.0-0.7.1.ppc64",
"product_id": "rubygem-bundler-1.7.0-0.7.1.ppc64"
}
}
],
"category": "architecture",
"name": "ppc64"
},
{
"branches": [
{
"category": "product_version",
"name": "rubygem-bundler-1.7.0-0.7.1.s390x",
"product": {
"name": "rubygem-bundler-1.7.0-0.7.1.s390x",
"product_id": "rubygem-bundler-1.7.0-0.7.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "rubygem-bundler-1.7.0-0.7.1.x86_64",
"product": {
"name": "rubygem-bundler-1.7.0-0.7.1.x86_64",
"product_id": "rubygem-bundler-1.7.0-0.7.1.x86_64"
}
},
{
"category": "product_version",
"name": "rubygem-bundler19-1.7.0-0.12.1.x86_64",
"product": {
"name": "rubygem-bundler19-1.7.0-0.12.1.x86_64",
"product_id": "rubygem-bundler19-1.7.0-0.12.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Software Development Kit 11 SP3",
"product": {
"name": "SUSE Linux Enterprise Software Development Kit 11 SP3",
"product_id": "SUSE Linux Enterprise Software Development Kit 11 SP3",
"product_identification_helper": {
"cpe": "cpe:/a:suse:sle-sdk:11:sp3"
}
}
},
{
"category": "product_name",
"name": "SUSE OpenStack Cloud 4",
"product": {
"name": "SUSE OpenStack Cloud 4",
"product_id": "SUSE OpenStack Cloud 4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:cloud:4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Availability Extension 11 SP3",
"product": {
"name": "SUSE Linux Enterprise High Availability Extension 11 SP3",
"product_id": "SUSE Linux Enterprise High Availability Extension 11 SP3",
"product_identification_helper": {
"cpe": "cpe:/a:suse:sle-hae:11:sp3"
}
}
},
{
"category": "product_name",
"name": "SUSE Lifecycle Management Server 1.3",
"product": {
"name": "SUSE Lifecycle Management Server 1.3",
"product_id": "SUSE Lifecycle Management Server 1.3",
"product_identification_helper": {
"cpe": "cpe:/a:suse:sle-slms:1.3"
}
}
},
{
"category": "product_name",
"name": "SUSE Studio Onsite 1.3",
"product": {
"name": "SUSE Studio Onsite 1.3",
"product_id": "SUSE Studio Onsite 1.3",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-studioonsite:1.3"
}
}
},
{
"category": "product_name",
"name": "SUSE Studio Onsite 1.3",
"product": {
"name": "SUSE Studio Onsite 1.3",
"product_id": "SUSE Studio Onsite 1.3",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-studioonsite:1.3"
}
}
},
{
"category": "product_name",
"name": "SUSE WebYast 1.3",
"product": {
"name": "SUSE WebYast 1.3",
"product_id": "SUSE WebYast 1.3",
"product_identification_helper": {
"cpe": "cpe:/o:suse:webyast:1.3"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-1.7.0-0.7.1.i586 as component of SUSE Linux Enterprise Software Development Kit 11 SP3",
"product_id": "SUSE Linux Enterprise Software Development Kit 11 SP3:rubygem-bundler-1.7.0-0.7.1.i586"
},
"product_reference": "rubygem-bundler-1.7.0-0.7.1.i586",
"relates_to_product_reference": "SUSE Linux Enterprise Software Development Kit 11 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-1.7.0-0.7.1.ia64 as component of SUSE Linux Enterprise Software Development Kit 11 SP3",
"product_id": "SUSE Linux Enterprise Software Development Kit 11 SP3:rubygem-bundler-1.7.0-0.7.1.ia64"
},
"product_reference": "rubygem-bundler-1.7.0-0.7.1.ia64",
"relates_to_product_reference": "SUSE Linux Enterprise Software Development Kit 11 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-1.7.0-0.7.1.ppc64 as component of SUSE Linux Enterprise Software Development Kit 11 SP3",
"product_id": "SUSE Linux Enterprise Software Development Kit 11 SP3:rubygem-bundler-1.7.0-0.7.1.ppc64"
},
"product_reference": "rubygem-bundler-1.7.0-0.7.1.ppc64",
"relates_to_product_reference": "SUSE Linux Enterprise Software Development Kit 11 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-1.7.0-0.7.1.s390x as component of SUSE Linux Enterprise Software Development Kit 11 SP3",
"product_id": "SUSE Linux Enterprise Software Development Kit 11 SP3:rubygem-bundler-1.7.0-0.7.1.s390x"
},
"product_reference": "rubygem-bundler-1.7.0-0.7.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Software Development Kit 11 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-1.7.0-0.7.1.x86_64 as component of SUSE Linux Enterprise Software Development Kit 11 SP3",
"product_id": "SUSE Linux Enterprise Software Development Kit 11 SP3:rubygem-bundler-1.7.0-0.7.1.x86_64"
},
"product_reference": "rubygem-bundler-1.7.0-0.7.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Software Development Kit 11 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-1.7.0-0.7.1.x86_64 as component of SUSE OpenStack Cloud 4",
"product_id": "SUSE OpenStack Cloud 4:rubygem-bundler-1.7.0-0.7.1.x86_64"
},
"product_reference": "rubygem-bundler-1.7.0-0.7.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud 4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-1.7.0-0.7.1.i586 as component of SUSE Linux Enterprise High Availability Extension 11 SP3",
"product_id": "SUSE Linux Enterprise High Availability Extension 11 SP3:rubygem-bundler-1.7.0-0.7.1.i586"
},
"product_reference": "rubygem-bundler-1.7.0-0.7.1.i586",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 11 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-1.7.0-0.7.1.ia64 as component of SUSE Linux Enterprise High Availability Extension 11 SP3",
"product_id": "SUSE Linux Enterprise High Availability Extension 11 SP3:rubygem-bundler-1.7.0-0.7.1.ia64"
},
"product_reference": "rubygem-bundler-1.7.0-0.7.1.ia64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 11 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-1.7.0-0.7.1.ppc64 as component of SUSE Linux Enterprise High Availability Extension 11 SP3",
"product_id": "SUSE Linux Enterprise High Availability Extension 11 SP3:rubygem-bundler-1.7.0-0.7.1.ppc64"
},
"product_reference": "rubygem-bundler-1.7.0-0.7.1.ppc64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 11 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-1.7.0-0.7.1.s390x as component of SUSE Linux Enterprise High Availability Extension 11 SP3",
"product_id": "SUSE Linux Enterprise High Availability Extension 11 SP3:rubygem-bundler-1.7.0-0.7.1.s390x"
},
"product_reference": "rubygem-bundler-1.7.0-0.7.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 11 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-1.7.0-0.7.1.x86_64 as component of SUSE Linux Enterprise High Availability Extension 11 SP3",
"product_id": "SUSE Linux Enterprise High Availability Extension 11 SP3:rubygem-bundler-1.7.0-0.7.1.x86_64"
},
"product_reference": "rubygem-bundler-1.7.0-0.7.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 11 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-1.7.0-0.7.1.x86_64 as component of SUSE Lifecycle Management Server 1.3",
"product_id": "SUSE Lifecycle Management Server 1.3:rubygem-bundler-1.7.0-0.7.1.x86_64"
},
"product_reference": "rubygem-bundler-1.7.0-0.7.1.x86_64",
"relates_to_product_reference": "SUSE Lifecycle Management Server 1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-1.7.0-0.7.1.x86_64 as component of SUSE Studio Onsite 1.3",
"product_id": "SUSE Studio Onsite 1.3:rubygem-bundler-1.7.0-0.7.1.x86_64"
},
"product_reference": "rubygem-bundler-1.7.0-0.7.1.x86_64",
"relates_to_product_reference": "SUSE Studio Onsite 1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler19-1.7.0-0.12.1.x86_64 as component of SUSE Studio Onsite 1.3",
"product_id": "SUSE Studio Onsite 1.3:rubygem-bundler19-1.7.0-0.12.1.x86_64"
},
"product_reference": "rubygem-bundler19-1.7.0-0.12.1.x86_64",
"relates_to_product_reference": "SUSE Studio Onsite 1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-1.7.0-0.7.1.x86_64 as component of SUSE Studio Onsite 1.3",
"product_id": "SUSE Studio Onsite 1.3:rubygem-bundler-1.7.0-0.7.1.x86_64"
},
"product_reference": "rubygem-bundler-1.7.0-0.7.1.x86_64",
"relates_to_product_reference": "SUSE Studio Onsite 1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler19-1.7.0-0.12.1.x86_64 as component of SUSE Studio Onsite 1.3",
"product_id": "SUSE Studio Onsite 1.3:rubygem-bundler19-1.7.0-0.12.1.x86_64"
},
"product_reference": "rubygem-bundler19-1.7.0-0.12.1.x86_64",
"relates_to_product_reference": "SUSE Studio Onsite 1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-1.7.0-0.7.1.i586 as component of SUSE WebYast 1.3",
"product_id": "SUSE WebYast 1.3:rubygem-bundler-1.7.0-0.7.1.i586"
},
"product_reference": "rubygem-bundler-1.7.0-0.7.1.i586",
"relates_to_product_reference": "SUSE WebYast 1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-1.7.0-0.7.1.ia64 as component of SUSE WebYast 1.3",
"product_id": "SUSE WebYast 1.3:rubygem-bundler-1.7.0-0.7.1.ia64"
},
"product_reference": "rubygem-bundler-1.7.0-0.7.1.ia64",
"relates_to_product_reference": "SUSE WebYast 1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-1.7.0-0.7.1.ppc64 as component of SUSE WebYast 1.3",
"product_id": "SUSE WebYast 1.3:rubygem-bundler-1.7.0-0.7.1.ppc64"
},
"product_reference": "rubygem-bundler-1.7.0-0.7.1.ppc64",
"relates_to_product_reference": "SUSE WebYast 1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-1.7.0-0.7.1.s390x as component of SUSE WebYast 1.3",
"product_id": "SUSE WebYast 1.3:rubygem-bundler-1.7.0-0.7.1.s390x"
},
"product_reference": "rubygem-bundler-1.7.0-0.7.1.s390x",
"relates_to_product_reference": "SUSE WebYast 1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-1.7.0-0.7.1.x86_64 as component of SUSE WebYast 1.3",
"product_id": "SUSE WebYast 1.3:rubygem-bundler-1.7.0-0.7.1.x86_64"
},
"product_reference": "rubygem-bundler-1.7.0-0.7.1.x86_64",
"relates_to_product_reference": "SUSE WebYast 1.3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2013-0334",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2013-0334"
}
],
"notes": [
{
"category": "general",
"text": "Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Lifecycle Management Server 1.3:rubygem-bundler-1.7.0-0.7.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 11 SP3:rubygem-bundler-1.7.0-0.7.1.i586",
"SUSE Linux Enterprise High Availability Extension 11 SP3:rubygem-bundler-1.7.0-0.7.1.ia64",
"SUSE Linux Enterprise High Availability Extension 11 SP3:rubygem-bundler-1.7.0-0.7.1.ppc64",
"SUSE Linux Enterprise High Availability Extension 11 SP3:rubygem-bundler-1.7.0-0.7.1.s390x",
"SUSE Linux Enterprise High Availability Extension 11 SP3:rubygem-bundler-1.7.0-0.7.1.x86_64",
"SUSE Linux Enterprise Software Development Kit 11 SP3:rubygem-bundler-1.7.0-0.7.1.i586",
"SUSE Linux Enterprise Software Development Kit 11 SP3:rubygem-bundler-1.7.0-0.7.1.ia64",
"SUSE Linux Enterprise Software Development Kit 11 SP3:rubygem-bundler-1.7.0-0.7.1.ppc64",
"SUSE Linux Enterprise Software Development Kit 11 SP3:rubygem-bundler-1.7.0-0.7.1.s390x",
"SUSE Linux Enterprise Software Development Kit 11 SP3:rubygem-bundler-1.7.0-0.7.1.x86_64",
"SUSE OpenStack Cloud 4:rubygem-bundler-1.7.0-0.7.1.x86_64",
"SUSE Studio Onsite 1.3:rubygem-bundler-1.7.0-0.7.1.x86_64",
"SUSE Studio Onsite 1.3:rubygem-bundler19-1.7.0-0.12.1.x86_64",
"SUSE WebYast 1.3:rubygem-bundler-1.7.0-0.7.1.i586",
"SUSE WebYast 1.3:rubygem-bundler-1.7.0-0.7.1.ia64",
"SUSE WebYast 1.3:rubygem-bundler-1.7.0-0.7.1.ppc64",
"SUSE WebYast 1.3:rubygem-bundler-1.7.0-0.7.1.s390x",
"SUSE WebYast 1.3:rubygem-bundler-1.7.0-0.7.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2013-0334",
"url": "https://www.suse.com/security/cve/CVE-2013-0334"
},
{
"category": "external",
"summary": "SUSE Bug 898205 for CVE-2013-0334",
"url": "https://bugzilla.suse.com/898205"
},
{
"category": "external",
"summary": "SUSE Bug 922719 for CVE-2013-0334",
"url": "https://bugzilla.suse.com/922719"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Lifecycle Management Server 1.3:rubygem-bundler-1.7.0-0.7.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 11 SP3:rubygem-bundler-1.7.0-0.7.1.i586",
"SUSE Linux Enterprise High Availability Extension 11 SP3:rubygem-bundler-1.7.0-0.7.1.ia64",
"SUSE Linux Enterprise High Availability Extension 11 SP3:rubygem-bundler-1.7.0-0.7.1.ppc64",
"SUSE Linux Enterprise High Availability Extension 11 SP3:rubygem-bundler-1.7.0-0.7.1.s390x",
"SUSE Linux Enterprise High Availability Extension 11 SP3:rubygem-bundler-1.7.0-0.7.1.x86_64",
"SUSE Linux Enterprise Software Development Kit 11 SP3:rubygem-bundler-1.7.0-0.7.1.i586",
"SUSE Linux Enterprise Software Development Kit 11 SP3:rubygem-bundler-1.7.0-0.7.1.ia64",
"SUSE Linux Enterprise Software Development Kit 11 SP3:rubygem-bundler-1.7.0-0.7.1.ppc64",
"SUSE Linux Enterprise Software Development Kit 11 SP3:rubygem-bundler-1.7.0-0.7.1.s390x",
"SUSE Linux Enterprise Software Development Kit 11 SP3:rubygem-bundler-1.7.0-0.7.1.x86_64",
"SUSE OpenStack Cloud 4:rubygem-bundler-1.7.0-0.7.1.x86_64",
"SUSE Studio Onsite 1.3:rubygem-bundler-1.7.0-0.7.1.x86_64",
"SUSE Studio Onsite 1.3:rubygem-bundler19-1.7.0-0.12.1.x86_64",
"SUSE WebYast 1.3:rubygem-bundler-1.7.0-0.7.1.i586",
"SUSE WebYast 1.3:rubygem-bundler-1.7.0-0.7.1.ia64",
"SUSE WebYast 1.3:rubygem-bundler-1.7.0-0.7.1.ppc64",
"SUSE WebYast 1.3:rubygem-bundler-1.7.0-0.7.1.s390x",
"SUSE WebYast 1.3:rubygem-bundler-1.7.0-0.7.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2015-03-11T16:15:22Z",
"details": "moderate"
}
],
"title": "CVE-2013-0334"
}
]
}
FKIE_CVE-2013-0334
Vulnerability from fkie_nvd - Published: 2014-10-31 14:55 - Updated: 2025-04-12 10:46
Severity ?
Summary
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.
References
| URL | Tags | ||
|---|---|---|---|
| secalert@redhat.com | http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html | Vendor Advisory | |
| secalert@redhat.com | http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140609.html | Third Party Advisory | |
| secalert@redhat.com | http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140654.html | Third Party Advisory | |
| secalert@redhat.com | http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140655.html | Third Party Advisory | |
| secalert@redhat.com | http://lists.opensuse.org/opensuse-updates/2015-03/msg00092.html | Third Party Advisory | |
| secalert@redhat.com | http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html | Third Party Advisory | |
| secalert@redhat.com | http://www.securityfocus.com/bid/70099 | Third Party Advisory, VDB Entry | |
| secalert@redhat.com | https://security.gentoo.org/glsa/201609-02 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140609.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140654.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140655.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://lists.opensuse.org/opensuse-updates/2015-03/msg00092.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/70099 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gentoo.org/glsa/201609-02 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bundler | bundler | * | |
| opensuse | opensuse | 13.1 | |
| opensuse | opensuse | 13.2 | |
| fedoraproject | fedora | 19 | |
| fedoraproject | fedora | 20 | |
| fedoraproject | fedora | 21 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bundler:bundler:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "595843BB-8C46-462F-8494-F72A0328981A",
"versionEndExcluding": "1.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A10BC294-9196-425F-9FB0-B1625465B47F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*",
"matchCriteriaId": "03117DF1-3BEC-4B8D-AD63-DBBDB2126081",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:19:*:*:*:*:*:*:*",
"matchCriteriaId": "5991814D-CA77-4C25-90D2-DB542B17E0AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*",
"matchCriteriaId": "FF47C9F0-D8DA-4B55-89EB-9B2C9383ADB9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*",
"matchCriteriaId": "56BDB5A0-0839-4A20-A003-B8CD56F48171",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source."
},
{
"lang": "es",
"value": "Bundler anterior a 1.7, cuando m\u00faltiples l\u00edneas de fuentes del m\u00e1ximo nivel est\u00e1n utilizadas, permite a atacantes remotos instalar gemas arbitrarias con el mismo nombre como otra gema en una fuente diferente."
}
],
"id": "CVE-2013-0334",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-10-31T14:55:02.687",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140609.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140654.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140655.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2015-03/msg00092.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/70099"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/201609-02"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140609.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140654.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140655.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2015-03/msg00092.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/70099"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/201609-02"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
RHSA-2015_2180
Vulnerability from csaf_redhat - Published: 2015-11-19 02:52 - Updated: 2024-11-22 09:05Summary
Red Hat Security Advisory: rubygem-bundler and rubygem-thor security, bug fix, and enhancement update
Severity
Moderate
Notes
Topic: Updated rubygem-bundler and rubygem-thor packages that fix one security
issue, several bugs, and add various enhancements are now available for Red
Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having Moderate security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
Details: Bundler manages an application's dependencies through its entire life,
across many machines, systematically and repeatably. Thor is a toolkit for
building powerful command-line interfaces.
A flaw was found in the way Bundler handled gems available from multiple
sources. An attacker with access to one of the sources could create a
malicious gem with the same name, which they could then use to trick a user
into installing, potentially resulting in execution of code from the
attacker-supplied malicious gem. (CVE-2013-0334)
Bundler has been upgraded to upstream version 1.7.8 and Thor has been
upgraded to upstream version 1.19.1, both of which provide a number of bug
fixes and enhancements over the previous versions. (BZ#1194243, BZ#1209921)
All rubygem-bundler and rubygem-thor users are advised to upgrade to these
updated packages, which correct these issues and add these enhancements.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the way Bundler handled gems available from multiple sources. An attacker with access to one of the sources could create a malicious gem with the same name, which they could then use to trick a user into installing, potentially resulting in execution of code from the attacker-supplied malicious gem.
5.1 ()
Vendor Fix
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
https://access.redhat.com/errata/RHSA-2015:2180
References
| URL | Category | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated rubygem-bundler and rubygem-thor packages that fix one security\nissue, several bugs, and add various enhancements are now available for Red\nHat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available from the CVE link in the\nReferences section.",
"title": "Topic"
},
{
"category": "general",
"text": "Bundler manages an application\u0027s dependencies through its entire life,\nacross many machines, systematically and repeatably. Thor is a toolkit for\nbuilding powerful command-line interfaces.\n\nA flaw was found in the way Bundler handled gems available from multiple\nsources. An attacker with access to one of the sources could create a\nmalicious gem with the same name, which they could then use to trick a user\ninto installing, potentially resulting in execution of code from the\nattacker-supplied malicious gem. (CVE-2013-0334)\n\nBundler has been upgraded to upstream version 1.7.8 and Thor has been\nupgraded to upstream version 1.19.1, both of which provide a number of bug\nfixes and enhancements over the previous versions. (BZ#1194243, BZ#1209921)\n\nAll rubygem-bundler and rubygem-thor users are advised to upgrade to these\nupdated packages, which correct these issues and add these enhancements.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:2180",
"url": "https://access.redhat.com/errata/RHSA-2015:2180"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1146335",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1146335"
},
{
"category": "external",
"summary": "1163076",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1163076"
},
{
"category": "external",
"summary": "1194243",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1194243"
},
{
"category": "external",
"summary": "1209921",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1209921"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_2180.json"
}
],
"title": "Red Hat Security Advisory: rubygem-bundler and rubygem-thor security, bug fix, and enhancement update",
"tracking": {
"current_release_date": "2024-11-22T09:05:31+00:00",
"generator": {
"date": "2024-11-22T09:05:31+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2015:2180",
"initial_release_date": "2015-11-19T02:52:05+00:00",
"revision_history": [
{
"date": "2015-11-19T02:52:05+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2015-11-19T02:52:05+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T09:05:31+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Client (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::client"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Client Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::client"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux ComputeNode (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::computenode"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::computenode"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Server (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::server"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Server Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::server"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Workstation (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::workstation"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::workstation"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "rubygem-thor-0:0.19.1-1.el7.src",
"product": {
"name": "rubygem-thor-0:0.19.1-1.el7.src",
"product_id": "rubygem-thor-0:0.19.1-1.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rubygem-thor@0.19.1-1.el7?arch=src"
}
}
},
{
"category": "product_version",
"name": "rubygem-bundler-0:1.7.8-3.el7.src",
"product": {
"name": "rubygem-bundler-0:1.7.8-3.el7.src",
"product_id": "rubygem-bundler-0:1.7.8-3.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rubygem-bundler@1.7.8-3.el7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "rubygem-thor-0:0.19.1-1.el7.noarch",
"product": {
"name": "rubygem-thor-0:0.19.1-1.el7.noarch",
"product_id": "rubygem-thor-0:0.19.1-1.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rubygem-thor@0.19.1-1.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"product": {
"name": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"product_id": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rubygem-thor-doc@0.19.1-1.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rubygem-bundler-0:1.7.8-3.el7.noarch",
"product": {
"name": "rubygem-bundler-0:1.7.8-3.el7.noarch",
"product_id": "rubygem-bundler-0:1.7.8-3.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rubygem-bundler@1.7.8-3.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"product": {
"name": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"product_id": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rubygem-bundler-doc@1.7.8-3.el7?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional:rubygem-bundler-0:1.7.8-3.el7.noarch"
},
"product_reference": "rubygem-bundler-0:1.7.8-3.el7.noarch",
"relates_to_product_reference": "7Client-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-0:1.7.8-3.el7.src as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional:rubygem-bundler-0:1.7.8-3.el7.src"
},
"product_reference": "rubygem-bundler-0:1.7.8-3.el7.src",
"relates_to_product_reference": "7Client-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch"
},
"product_reference": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"relates_to_product_reference": "7Client-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional:rubygem-thor-0:0.19.1-1.el7.noarch"
},
"product_reference": "rubygem-thor-0:0.19.1-1.el7.noarch",
"relates_to_product_reference": "7Client-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-0:0.19.1-1.el7.src as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional:rubygem-thor-0:0.19.1-1.el7.src"
},
"product_reference": "rubygem-thor-0:0.19.1-1.el7.src",
"relates_to_product_reference": "7Client-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-doc-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
},
"product_reference": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"relates_to_product_reference": "7Client-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client:rubygem-bundler-0:1.7.8-3.el7.noarch"
},
"product_reference": "rubygem-bundler-0:1.7.8-3.el7.noarch",
"relates_to_product_reference": "7Client"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-0:1.7.8-3.el7.src as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client:rubygem-bundler-0:1.7.8-3.el7.src"
},
"product_reference": "rubygem-bundler-0:1.7.8-3.el7.src",
"relates_to_product_reference": "7Client"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client:rubygem-bundler-doc-0:1.7.8-3.el7.noarch"
},
"product_reference": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"relates_to_product_reference": "7Client"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client:rubygem-thor-0:0.19.1-1.el7.noarch"
},
"product_reference": "rubygem-thor-0:0.19.1-1.el7.noarch",
"relates_to_product_reference": "7Client"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-0:0.19.1-1.el7.src as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client:rubygem-thor-0:0.19.1-1.el7.src"
},
"product_reference": "rubygem-thor-0:0.19.1-1.el7.src",
"relates_to_product_reference": "7Client"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-doc-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
},
"product_reference": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"relates_to_product_reference": "7Client"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional:rubygem-bundler-0:1.7.8-3.el7.noarch"
},
"product_reference": "rubygem-bundler-0:1.7.8-3.el7.noarch",
"relates_to_product_reference": "7ComputeNode-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-0:1.7.8-3.el7.src as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional:rubygem-bundler-0:1.7.8-3.el7.src"
},
"product_reference": "rubygem-bundler-0:1.7.8-3.el7.src",
"relates_to_product_reference": "7ComputeNode-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch"
},
"product_reference": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"relates_to_product_reference": "7ComputeNode-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional:rubygem-thor-0:0.19.1-1.el7.noarch"
},
"product_reference": "rubygem-thor-0:0.19.1-1.el7.noarch",
"relates_to_product_reference": "7ComputeNode-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-0:0.19.1-1.el7.src as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional:rubygem-thor-0:0.19.1-1.el7.src"
},
"product_reference": "rubygem-thor-0:0.19.1-1.el7.src",
"relates_to_product_reference": "7ComputeNode-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-doc-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
},
"product_reference": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"relates_to_product_reference": "7ComputeNode-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode:rubygem-bundler-0:1.7.8-3.el7.noarch"
},
"product_reference": "rubygem-bundler-0:1.7.8-3.el7.noarch",
"relates_to_product_reference": "7ComputeNode"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-0:1.7.8-3.el7.src as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode:rubygem-bundler-0:1.7.8-3.el7.src"
},
"product_reference": "rubygem-bundler-0:1.7.8-3.el7.src",
"relates_to_product_reference": "7ComputeNode"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode:rubygem-bundler-doc-0:1.7.8-3.el7.noarch"
},
"product_reference": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"relates_to_product_reference": "7ComputeNode"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode:rubygem-thor-0:0.19.1-1.el7.noarch"
},
"product_reference": "rubygem-thor-0:0.19.1-1.el7.noarch",
"relates_to_product_reference": "7ComputeNode"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-0:0.19.1-1.el7.src as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode:rubygem-thor-0:0.19.1-1.el7.src"
},
"product_reference": "rubygem-thor-0:0.19.1-1.el7.src",
"relates_to_product_reference": "7ComputeNode"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-doc-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
},
"product_reference": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"relates_to_product_reference": "7ComputeNode"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional:rubygem-bundler-0:1.7.8-3.el7.noarch"
},
"product_reference": "rubygem-bundler-0:1.7.8-3.el7.noarch",
"relates_to_product_reference": "7Server-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-0:1.7.8-3.el7.src as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional:rubygem-bundler-0:1.7.8-3.el7.src"
},
"product_reference": "rubygem-bundler-0:1.7.8-3.el7.src",
"relates_to_product_reference": "7Server-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch"
},
"product_reference": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"relates_to_product_reference": "7Server-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional:rubygem-thor-0:0.19.1-1.el7.noarch"
},
"product_reference": "rubygem-thor-0:0.19.1-1.el7.noarch",
"relates_to_product_reference": "7Server-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-0:0.19.1-1.el7.src as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional:rubygem-thor-0:0.19.1-1.el7.src"
},
"product_reference": "rubygem-thor-0:0.19.1-1.el7.src",
"relates_to_product_reference": "7Server-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-doc-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
},
"product_reference": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"relates_to_product_reference": "7Server-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server:rubygem-bundler-0:1.7.8-3.el7.noarch"
},
"product_reference": "rubygem-bundler-0:1.7.8-3.el7.noarch",
"relates_to_product_reference": "7Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-0:1.7.8-3.el7.src as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server:rubygem-bundler-0:1.7.8-3.el7.src"
},
"product_reference": "rubygem-bundler-0:1.7.8-3.el7.src",
"relates_to_product_reference": "7Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server:rubygem-bundler-doc-0:1.7.8-3.el7.noarch"
},
"product_reference": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"relates_to_product_reference": "7Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server:rubygem-thor-0:0.19.1-1.el7.noarch"
},
"product_reference": "rubygem-thor-0:0.19.1-1.el7.noarch",
"relates_to_product_reference": "7Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-0:0.19.1-1.el7.src as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server:rubygem-thor-0:0.19.1-1.el7.src"
},
"product_reference": "rubygem-thor-0:0.19.1-1.el7.src",
"relates_to_product_reference": "7Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-doc-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
},
"product_reference": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"relates_to_product_reference": "7Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional:rubygem-bundler-0:1.7.8-3.el7.noarch"
},
"product_reference": "rubygem-bundler-0:1.7.8-3.el7.noarch",
"relates_to_product_reference": "7Workstation-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-0:1.7.8-3.el7.src as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional:rubygem-bundler-0:1.7.8-3.el7.src"
},
"product_reference": "rubygem-bundler-0:1.7.8-3.el7.src",
"relates_to_product_reference": "7Workstation-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch"
},
"product_reference": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"relates_to_product_reference": "7Workstation-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional:rubygem-thor-0:0.19.1-1.el7.noarch"
},
"product_reference": "rubygem-thor-0:0.19.1-1.el7.noarch",
"relates_to_product_reference": "7Workstation-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-0:0.19.1-1.el7.src as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional:rubygem-thor-0:0.19.1-1.el7.src"
},
"product_reference": "rubygem-thor-0:0.19.1-1.el7.src",
"relates_to_product_reference": "7Workstation-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-doc-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
},
"product_reference": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"relates_to_product_reference": "7Workstation-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation:rubygem-bundler-0:1.7.8-3.el7.noarch"
},
"product_reference": "rubygem-bundler-0:1.7.8-3.el7.noarch",
"relates_to_product_reference": "7Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-0:1.7.8-3.el7.src as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation:rubygem-bundler-0:1.7.8-3.el7.src"
},
"product_reference": "rubygem-bundler-0:1.7.8-3.el7.src",
"relates_to_product_reference": "7Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation:rubygem-bundler-doc-0:1.7.8-3.el7.noarch"
},
"product_reference": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"relates_to_product_reference": "7Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation:rubygem-thor-0:0.19.1-1.el7.noarch"
},
"product_reference": "rubygem-thor-0:0.19.1-1.el7.noarch",
"relates_to_product_reference": "7Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-0:0.19.1-1.el7.src as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation:rubygem-thor-0:0.19.1-1.el7.src"
},
"product_reference": "rubygem-thor-0:0.19.1-1.el7.src",
"relates_to_product_reference": "7Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-doc-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
},
"product_reference": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"relates_to_product_reference": "7Workstation"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2013-0334",
"cwe": {
"id": "CWE-345",
"name": "Insufficient Verification of Data Authenticity"
},
"discovery_date": "2014-09-24T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1146335"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the way Bundler handled gems available from multiple sources. An attacker with access to one of the sources could create a malicious gem with the same name, which they could then use to trick a user into installing, potentially resulting in execution of code from the attacker-supplied malicious gem.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-bundler: \u0027bundle install\u0027 may install a gem from a source other than expected",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Client-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7Client-optional:rubygem-bundler-0:1.7.8-3.el7.src",
"7Client-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7Client-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
"7Client-optional:rubygem-thor-0:0.19.1-1.el7.src",
"7Client-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7Client:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7Client:rubygem-bundler-0:1.7.8-3.el7.src",
"7Client:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7Client:rubygem-thor-0:0.19.1-1.el7.noarch",
"7Client:rubygem-thor-0:0.19.1-1.el7.src",
"7Client:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7ComputeNode-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7ComputeNode-optional:rubygem-bundler-0:1.7.8-3.el7.src",
"7ComputeNode-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7ComputeNode-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
"7ComputeNode-optional:rubygem-thor-0:0.19.1-1.el7.src",
"7ComputeNode-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7ComputeNode:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7ComputeNode:rubygem-bundler-0:1.7.8-3.el7.src",
"7ComputeNode:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7ComputeNode:rubygem-thor-0:0.19.1-1.el7.noarch",
"7ComputeNode:rubygem-thor-0:0.19.1-1.el7.src",
"7ComputeNode:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7Server-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7Server-optional:rubygem-bundler-0:1.7.8-3.el7.src",
"7Server-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7Server-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
"7Server-optional:rubygem-thor-0:0.19.1-1.el7.src",
"7Server-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7Server:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7Server:rubygem-bundler-0:1.7.8-3.el7.src",
"7Server:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7Server:rubygem-thor-0:0.19.1-1.el7.noarch",
"7Server:rubygem-thor-0:0.19.1-1.el7.src",
"7Server:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7Workstation-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7Workstation-optional:rubygem-bundler-0:1.7.8-3.el7.src",
"7Workstation-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7Workstation-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
"7Workstation-optional:rubygem-thor-0:0.19.1-1.el7.src",
"7Workstation-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7Workstation:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7Workstation:rubygem-bundler-0:1.7.8-3.el7.src",
"7Workstation:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7Workstation:rubygem-thor-0:0.19.1-1.el7.noarch",
"7Workstation:rubygem-thor-0:0.19.1-1.el7.src",
"7Workstation:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-0334"
},
{
"category": "external",
"summary": "RHBZ#1146335",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1146335"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-0334",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0334"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-0334",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0334"
},
{
"category": "external",
"summary": "http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html",
"url": "http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html"
}
],
"release_date": "2014-08-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-11-19T02:52:05+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Client-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7Client-optional:rubygem-bundler-0:1.7.8-3.el7.src",
"7Client-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7Client-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
"7Client-optional:rubygem-thor-0:0.19.1-1.el7.src",
"7Client-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7Client:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7Client:rubygem-bundler-0:1.7.8-3.el7.src",
"7Client:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7Client:rubygem-thor-0:0.19.1-1.el7.noarch",
"7Client:rubygem-thor-0:0.19.1-1.el7.src",
"7Client:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7ComputeNode-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7ComputeNode-optional:rubygem-bundler-0:1.7.8-3.el7.src",
"7ComputeNode-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7ComputeNode-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
"7ComputeNode-optional:rubygem-thor-0:0.19.1-1.el7.src",
"7ComputeNode-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7ComputeNode:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7ComputeNode:rubygem-bundler-0:1.7.8-3.el7.src",
"7ComputeNode:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7ComputeNode:rubygem-thor-0:0.19.1-1.el7.noarch",
"7ComputeNode:rubygem-thor-0:0.19.1-1.el7.src",
"7ComputeNode:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7Server-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7Server-optional:rubygem-bundler-0:1.7.8-3.el7.src",
"7Server-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7Server-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
"7Server-optional:rubygem-thor-0:0.19.1-1.el7.src",
"7Server-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7Server:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7Server:rubygem-bundler-0:1.7.8-3.el7.src",
"7Server:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7Server:rubygem-thor-0:0.19.1-1.el7.noarch",
"7Server:rubygem-thor-0:0.19.1-1.el7.src",
"7Server:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7Workstation-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7Workstation-optional:rubygem-bundler-0:1.7.8-3.el7.src",
"7Workstation-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7Workstation-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
"7Workstation-optional:rubygem-thor-0:0.19.1-1.el7.src",
"7Workstation-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7Workstation:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7Workstation:rubygem-bundler-0:1.7.8-3.el7.src",
"7Workstation:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7Workstation:rubygem-thor-0:0.19.1-1.el7.noarch",
"7Workstation:rubygem-thor-0:0.19.1-1.el7.src",
"7Workstation:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:2180"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"7Client-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7Client-optional:rubygem-bundler-0:1.7.8-3.el7.src",
"7Client-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7Client-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
"7Client-optional:rubygem-thor-0:0.19.1-1.el7.src",
"7Client-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7Client:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7Client:rubygem-bundler-0:1.7.8-3.el7.src",
"7Client:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7Client:rubygem-thor-0:0.19.1-1.el7.noarch",
"7Client:rubygem-thor-0:0.19.1-1.el7.src",
"7Client:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7ComputeNode-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7ComputeNode-optional:rubygem-bundler-0:1.7.8-3.el7.src",
"7ComputeNode-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7ComputeNode-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
"7ComputeNode-optional:rubygem-thor-0:0.19.1-1.el7.src",
"7ComputeNode-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7ComputeNode:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7ComputeNode:rubygem-bundler-0:1.7.8-3.el7.src",
"7ComputeNode:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7ComputeNode:rubygem-thor-0:0.19.1-1.el7.noarch",
"7ComputeNode:rubygem-thor-0:0.19.1-1.el7.src",
"7ComputeNode:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7Server-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7Server-optional:rubygem-bundler-0:1.7.8-3.el7.src",
"7Server-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7Server-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
"7Server-optional:rubygem-thor-0:0.19.1-1.el7.src",
"7Server-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7Server:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7Server:rubygem-bundler-0:1.7.8-3.el7.src",
"7Server:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7Server:rubygem-thor-0:0.19.1-1.el7.noarch",
"7Server:rubygem-thor-0:0.19.1-1.el7.src",
"7Server:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7Workstation-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7Workstation-optional:rubygem-bundler-0:1.7.8-3.el7.src",
"7Workstation-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7Workstation-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
"7Workstation-optional:rubygem-thor-0:0.19.1-1.el7.src",
"7Workstation-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7Workstation:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7Workstation:rubygem-bundler-0:1.7.8-3.el7.src",
"7Workstation:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7Workstation:rubygem-thor-0:0.19.1-1.el7.noarch",
"7Workstation:rubygem-thor-0:0.19.1-1.el7.src",
"7Workstation:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "rubygem-bundler: \u0027bundle install\u0027 may install a gem from a source other than expected"
}
]
}
RHSA-2015:2180
Vulnerability from csaf_redhat - Published: 2015-11-19 02:52 - Updated: 2025-11-21 17:54Summary
Red Hat Security Advisory: rubygem-bundler and rubygem-thor security, bug fix, and enhancement update
Severity
Moderate
Notes
Topic: Updated rubygem-bundler and rubygem-thor packages that fix one security
issue, several bugs, and add various enhancements are now available for Red
Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having Moderate security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
Details: Bundler manages an application's dependencies through its entire life,
across many machines, systematically and repeatably. Thor is a toolkit for
building powerful command-line interfaces.
A flaw was found in the way Bundler handled gems available from multiple
sources. An attacker with access to one of the sources could create a
malicious gem with the same name, which they could then use to trick a user
into installing, potentially resulting in execution of code from the
attacker-supplied malicious gem. (CVE-2013-0334)
Bundler has been upgraded to upstream version 1.7.8 and Thor has been
upgraded to upstream version 1.19.1, both of which provide a number of bug
fixes and enhancements over the previous versions. (BZ#1194243, BZ#1209921)
All rubygem-bundler and rubygem-thor users are advised to upgrade to these
updated packages, which correct these issues and add these enhancements.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the way Bundler handled gems available from multiple sources. An attacker with access to one of the sources could create a malicious gem with the same name, which they could then use to trick a user into installing, potentially resulting in execution of code from the attacker-supplied malicious gem.
5.1 ()
Vendor Fix
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
https://access.redhat.com/errata/RHSA-2015:2180
References
| URL | Category | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated rubygem-bundler and rubygem-thor packages that fix one security\nissue, several bugs, and add various enhancements are now available for Red\nHat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available from the CVE link in the\nReferences section.",
"title": "Topic"
},
{
"category": "general",
"text": "Bundler manages an application\u0027s dependencies through its entire life,\nacross many machines, systematically and repeatably. Thor is a toolkit for\nbuilding powerful command-line interfaces.\n\nA flaw was found in the way Bundler handled gems available from multiple\nsources. An attacker with access to one of the sources could create a\nmalicious gem with the same name, which they could then use to trick a user\ninto installing, potentially resulting in execution of code from the\nattacker-supplied malicious gem. (CVE-2013-0334)\n\nBundler has been upgraded to upstream version 1.7.8 and Thor has been\nupgraded to upstream version 1.19.1, both of which provide a number of bug\nfixes and enhancements over the previous versions. (BZ#1194243, BZ#1209921)\n\nAll rubygem-bundler and rubygem-thor users are advised to upgrade to these\nupdated packages, which correct these issues and add these enhancements.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:2180",
"url": "https://access.redhat.com/errata/RHSA-2015:2180"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1146335",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1146335"
},
{
"category": "external",
"summary": "1163076",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1163076"
},
{
"category": "external",
"summary": "1194243",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1194243"
},
{
"category": "external",
"summary": "1209921",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1209921"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_2180.json"
}
],
"title": "Red Hat Security Advisory: rubygem-bundler and rubygem-thor security, bug fix, and enhancement update",
"tracking": {
"current_release_date": "2025-11-21T17:54:05+00:00",
"generator": {
"date": "2025-11-21T17:54:05+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2015:2180",
"initial_release_date": "2015-11-19T02:52:05+00:00",
"revision_history": [
{
"date": "2015-11-19T02:52:05+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2015-11-19T02:52:05+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T17:54:05+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Client (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::client"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Client Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::client"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux ComputeNode (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::computenode"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::computenode"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Server (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::server"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Server Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::server"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Workstation (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::workstation"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::workstation"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "rubygem-thor-0:0.19.1-1.el7.src",
"product": {
"name": "rubygem-thor-0:0.19.1-1.el7.src",
"product_id": "rubygem-thor-0:0.19.1-1.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rubygem-thor@0.19.1-1.el7?arch=src"
}
}
},
{
"category": "product_version",
"name": "rubygem-bundler-0:1.7.8-3.el7.src",
"product": {
"name": "rubygem-bundler-0:1.7.8-3.el7.src",
"product_id": "rubygem-bundler-0:1.7.8-3.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rubygem-bundler@1.7.8-3.el7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "rubygem-thor-0:0.19.1-1.el7.noarch",
"product": {
"name": "rubygem-thor-0:0.19.1-1.el7.noarch",
"product_id": "rubygem-thor-0:0.19.1-1.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rubygem-thor@0.19.1-1.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"product": {
"name": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"product_id": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rubygem-thor-doc@0.19.1-1.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rubygem-bundler-0:1.7.8-3.el7.noarch",
"product": {
"name": "rubygem-bundler-0:1.7.8-3.el7.noarch",
"product_id": "rubygem-bundler-0:1.7.8-3.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rubygem-bundler@1.7.8-3.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"product": {
"name": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"product_id": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rubygem-bundler-doc@1.7.8-3.el7?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional:rubygem-bundler-0:1.7.8-3.el7.noarch"
},
"product_reference": "rubygem-bundler-0:1.7.8-3.el7.noarch",
"relates_to_product_reference": "7Client-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-0:1.7.8-3.el7.src as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional:rubygem-bundler-0:1.7.8-3.el7.src"
},
"product_reference": "rubygem-bundler-0:1.7.8-3.el7.src",
"relates_to_product_reference": "7Client-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch"
},
"product_reference": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"relates_to_product_reference": "7Client-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional:rubygem-thor-0:0.19.1-1.el7.noarch"
},
"product_reference": "rubygem-thor-0:0.19.1-1.el7.noarch",
"relates_to_product_reference": "7Client-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-0:0.19.1-1.el7.src as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional:rubygem-thor-0:0.19.1-1.el7.src"
},
"product_reference": "rubygem-thor-0:0.19.1-1.el7.src",
"relates_to_product_reference": "7Client-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-doc-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
},
"product_reference": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"relates_to_product_reference": "7Client-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client:rubygem-bundler-0:1.7.8-3.el7.noarch"
},
"product_reference": "rubygem-bundler-0:1.7.8-3.el7.noarch",
"relates_to_product_reference": "7Client"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-0:1.7.8-3.el7.src as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client:rubygem-bundler-0:1.7.8-3.el7.src"
},
"product_reference": "rubygem-bundler-0:1.7.8-3.el7.src",
"relates_to_product_reference": "7Client"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client:rubygem-bundler-doc-0:1.7.8-3.el7.noarch"
},
"product_reference": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"relates_to_product_reference": "7Client"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client:rubygem-thor-0:0.19.1-1.el7.noarch"
},
"product_reference": "rubygem-thor-0:0.19.1-1.el7.noarch",
"relates_to_product_reference": "7Client"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-0:0.19.1-1.el7.src as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client:rubygem-thor-0:0.19.1-1.el7.src"
},
"product_reference": "rubygem-thor-0:0.19.1-1.el7.src",
"relates_to_product_reference": "7Client"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-doc-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
},
"product_reference": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"relates_to_product_reference": "7Client"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional:rubygem-bundler-0:1.7.8-3.el7.noarch"
},
"product_reference": "rubygem-bundler-0:1.7.8-3.el7.noarch",
"relates_to_product_reference": "7ComputeNode-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-0:1.7.8-3.el7.src as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional:rubygem-bundler-0:1.7.8-3.el7.src"
},
"product_reference": "rubygem-bundler-0:1.7.8-3.el7.src",
"relates_to_product_reference": "7ComputeNode-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch"
},
"product_reference": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"relates_to_product_reference": "7ComputeNode-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional:rubygem-thor-0:0.19.1-1.el7.noarch"
},
"product_reference": "rubygem-thor-0:0.19.1-1.el7.noarch",
"relates_to_product_reference": "7ComputeNode-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-0:0.19.1-1.el7.src as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional:rubygem-thor-0:0.19.1-1.el7.src"
},
"product_reference": "rubygem-thor-0:0.19.1-1.el7.src",
"relates_to_product_reference": "7ComputeNode-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-doc-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
},
"product_reference": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"relates_to_product_reference": "7ComputeNode-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode:rubygem-bundler-0:1.7.8-3.el7.noarch"
},
"product_reference": "rubygem-bundler-0:1.7.8-3.el7.noarch",
"relates_to_product_reference": "7ComputeNode"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-0:1.7.8-3.el7.src as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode:rubygem-bundler-0:1.7.8-3.el7.src"
},
"product_reference": "rubygem-bundler-0:1.7.8-3.el7.src",
"relates_to_product_reference": "7ComputeNode"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode:rubygem-bundler-doc-0:1.7.8-3.el7.noarch"
},
"product_reference": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"relates_to_product_reference": "7ComputeNode"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode:rubygem-thor-0:0.19.1-1.el7.noarch"
},
"product_reference": "rubygem-thor-0:0.19.1-1.el7.noarch",
"relates_to_product_reference": "7ComputeNode"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-0:0.19.1-1.el7.src as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode:rubygem-thor-0:0.19.1-1.el7.src"
},
"product_reference": "rubygem-thor-0:0.19.1-1.el7.src",
"relates_to_product_reference": "7ComputeNode"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-doc-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
},
"product_reference": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"relates_to_product_reference": "7ComputeNode"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional:rubygem-bundler-0:1.7.8-3.el7.noarch"
},
"product_reference": "rubygem-bundler-0:1.7.8-3.el7.noarch",
"relates_to_product_reference": "7Server-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-0:1.7.8-3.el7.src as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional:rubygem-bundler-0:1.7.8-3.el7.src"
},
"product_reference": "rubygem-bundler-0:1.7.8-3.el7.src",
"relates_to_product_reference": "7Server-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch"
},
"product_reference": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"relates_to_product_reference": "7Server-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional:rubygem-thor-0:0.19.1-1.el7.noarch"
},
"product_reference": "rubygem-thor-0:0.19.1-1.el7.noarch",
"relates_to_product_reference": "7Server-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-0:0.19.1-1.el7.src as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional:rubygem-thor-0:0.19.1-1.el7.src"
},
"product_reference": "rubygem-thor-0:0.19.1-1.el7.src",
"relates_to_product_reference": "7Server-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-doc-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
},
"product_reference": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"relates_to_product_reference": "7Server-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server:rubygem-bundler-0:1.7.8-3.el7.noarch"
},
"product_reference": "rubygem-bundler-0:1.7.8-3.el7.noarch",
"relates_to_product_reference": "7Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-0:1.7.8-3.el7.src as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server:rubygem-bundler-0:1.7.8-3.el7.src"
},
"product_reference": "rubygem-bundler-0:1.7.8-3.el7.src",
"relates_to_product_reference": "7Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server:rubygem-bundler-doc-0:1.7.8-3.el7.noarch"
},
"product_reference": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"relates_to_product_reference": "7Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server:rubygem-thor-0:0.19.1-1.el7.noarch"
},
"product_reference": "rubygem-thor-0:0.19.1-1.el7.noarch",
"relates_to_product_reference": "7Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-0:0.19.1-1.el7.src as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server:rubygem-thor-0:0.19.1-1.el7.src"
},
"product_reference": "rubygem-thor-0:0.19.1-1.el7.src",
"relates_to_product_reference": "7Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-doc-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
},
"product_reference": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"relates_to_product_reference": "7Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional:rubygem-bundler-0:1.7.8-3.el7.noarch"
},
"product_reference": "rubygem-bundler-0:1.7.8-3.el7.noarch",
"relates_to_product_reference": "7Workstation-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-0:1.7.8-3.el7.src as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional:rubygem-bundler-0:1.7.8-3.el7.src"
},
"product_reference": "rubygem-bundler-0:1.7.8-3.el7.src",
"relates_to_product_reference": "7Workstation-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch"
},
"product_reference": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"relates_to_product_reference": "7Workstation-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional:rubygem-thor-0:0.19.1-1.el7.noarch"
},
"product_reference": "rubygem-thor-0:0.19.1-1.el7.noarch",
"relates_to_product_reference": "7Workstation-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-0:0.19.1-1.el7.src as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional:rubygem-thor-0:0.19.1-1.el7.src"
},
"product_reference": "rubygem-thor-0:0.19.1-1.el7.src",
"relates_to_product_reference": "7Workstation-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-doc-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
},
"product_reference": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"relates_to_product_reference": "7Workstation-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation:rubygem-bundler-0:1.7.8-3.el7.noarch"
},
"product_reference": "rubygem-bundler-0:1.7.8-3.el7.noarch",
"relates_to_product_reference": "7Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-0:1.7.8-3.el7.src as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation:rubygem-bundler-0:1.7.8-3.el7.src"
},
"product_reference": "rubygem-bundler-0:1.7.8-3.el7.src",
"relates_to_product_reference": "7Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation:rubygem-bundler-doc-0:1.7.8-3.el7.noarch"
},
"product_reference": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"relates_to_product_reference": "7Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation:rubygem-thor-0:0.19.1-1.el7.noarch"
},
"product_reference": "rubygem-thor-0:0.19.1-1.el7.noarch",
"relates_to_product_reference": "7Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-0:0.19.1-1.el7.src as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation:rubygem-thor-0:0.19.1-1.el7.src"
},
"product_reference": "rubygem-thor-0:0.19.1-1.el7.src",
"relates_to_product_reference": "7Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-thor-doc-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
},
"product_reference": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"relates_to_product_reference": "7Workstation"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2013-0334",
"cwe": {
"id": "CWE-345",
"name": "Insufficient Verification of Data Authenticity"
},
"discovery_date": "2014-09-24T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1146335"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the way Bundler handled gems available from multiple sources. An attacker with access to one of the sources could create a malicious gem with the same name, which they could then use to trick a user into installing, potentially resulting in execution of code from the attacker-supplied malicious gem.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-bundler: \u0027bundle install\u0027 may install a gem from a source other than expected",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Client-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7Client-optional:rubygem-bundler-0:1.7.8-3.el7.src",
"7Client-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7Client-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
"7Client-optional:rubygem-thor-0:0.19.1-1.el7.src",
"7Client-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7Client:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7Client:rubygem-bundler-0:1.7.8-3.el7.src",
"7Client:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7Client:rubygem-thor-0:0.19.1-1.el7.noarch",
"7Client:rubygem-thor-0:0.19.1-1.el7.src",
"7Client:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7ComputeNode-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7ComputeNode-optional:rubygem-bundler-0:1.7.8-3.el7.src",
"7ComputeNode-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7ComputeNode-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
"7ComputeNode-optional:rubygem-thor-0:0.19.1-1.el7.src",
"7ComputeNode-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7ComputeNode:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7ComputeNode:rubygem-bundler-0:1.7.8-3.el7.src",
"7ComputeNode:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7ComputeNode:rubygem-thor-0:0.19.1-1.el7.noarch",
"7ComputeNode:rubygem-thor-0:0.19.1-1.el7.src",
"7ComputeNode:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7Server-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7Server-optional:rubygem-bundler-0:1.7.8-3.el7.src",
"7Server-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7Server-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
"7Server-optional:rubygem-thor-0:0.19.1-1.el7.src",
"7Server-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7Server:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7Server:rubygem-bundler-0:1.7.8-3.el7.src",
"7Server:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7Server:rubygem-thor-0:0.19.1-1.el7.noarch",
"7Server:rubygem-thor-0:0.19.1-1.el7.src",
"7Server:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7Workstation-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7Workstation-optional:rubygem-bundler-0:1.7.8-3.el7.src",
"7Workstation-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7Workstation-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
"7Workstation-optional:rubygem-thor-0:0.19.1-1.el7.src",
"7Workstation-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7Workstation:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7Workstation:rubygem-bundler-0:1.7.8-3.el7.src",
"7Workstation:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7Workstation:rubygem-thor-0:0.19.1-1.el7.noarch",
"7Workstation:rubygem-thor-0:0.19.1-1.el7.src",
"7Workstation:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-0334"
},
{
"category": "external",
"summary": "RHBZ#1146335",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1146335"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-0334",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0334"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-0334",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0334"
},
{
"category": "external",
"summary": "http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html",
"url": "http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html"
}
],
"release_date": "2014-08-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-11-19T02:52:05+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Client-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7Client-optional:rubygem-bundler-0:1.7.8-3.el7.src",
"7Client-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7Client-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
"7Client-optional:rubygem-thor-0:0.19.1-1.el7.src",
"7Client-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7Client:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7Client:rubygem-bundler-0:1.7.8-3.el7.src",
"7Client:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7Client:rubygem-thor-0:0.19.1-1.el7.noarch",
"7Client:rubygem-thor-0:0.19.1-1.el7.src",
"7Client:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7ComputeNode-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7ComputeNode-optional:rubygem-bundler-0:1.7.8-3.el7.src",
"7ComputeNode-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7ComputeNode-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
"7ComputeNode-optional:rubygem-thor-0:0.19.1-1.el7.src",
"7ComputeNode-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7ComputeNode:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7ComputeNode:rubygem-bundler-0:1.7.8-3.el7.src",
"7ComputeNode:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7ComputeNode:rubygem-thor-0:0.19.1-1.el7.noarch",
"7ComputeNode:rubygem-thor-0:0.19.1-1.el7.src",
"7ComputeNode:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7Server-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7Server-optional:rubygem-bundler-0:1.7.8-3.el7.src",
"7Server-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7Server-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
"7Server-optional:rubygem-thor-0:0.19.1-1.el7.src",
"7Server-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7Server:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7Server:rubygem-bundler-0:1.7.8-3.el7.src",
"7Server:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7Server:rubygem-thor-0:0.19.1-1.el7.noarch",
"7Server:rubygem-thor-0:0.19.1-1.el7.src",
"7Server:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7Workstation-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7Workstation-optional:rubygem-bundler-0:1.7.8-3.el7.src",
"7Workstation-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7Workstation-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
"7Workstation-optional:rubygem-thor-0:0.19.1-1.el7.src",
"7Workstation-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7Workstation:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7Workstation:rubygem-bundler-0:1.7.8-3.el7.src",
"7Workstation:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7Workstation:rubygem-thor-0:0.19.1-1.el7.noarch",
"7Workstation:rubygem-thor-0:0.19.1-1.el7.src",
"7Workstation:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:2180"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"7Client-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7Client-optional:rubygem-bundler-0:1.7.8-3.el7.src",
"7Client-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7Client-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
"7Client-optional:rubygem-thor-0:0.19.1-1.el7.src",
"7Client-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7Client:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7Client:rubygem-bundler-0:1.7.8-3.el7.src",
"7Client:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7Client:rubygem-thor-0:0.19.1-1.el7.noarch",
"7Client:rubygem-thor-0:0.19.1-1.el7.src",
"7Client:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7ComputeNode-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7ComputeNode-optional:rubygem-bundler-0:1.7.8-3.el7.src",
"7ComputeNode-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7ComputeNode-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
"7ComputeNode-optional:rubygem-thor-0:0.19.1-1.el7.src",
"7ComputeNode-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7ComputeNode:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7ComputeNode:rubygem-bundler-0:1.7.8-3.el7.src",
"7ComputeNode:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7ComputeNode:rubygem-thor-0:0.19.1-1.el7.noarch",
"7ComputeNode:rubygem-thor-0:0.19.1-1.el7.src",
"7ComputeNode:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7Server-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7Server-optional:rubygem-bundler-0:1.7.8-3.el7.src",
"7Server-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7Server-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
"7Server-optional:rubygem-thor-0:0.19.1-1.el7.src",
"7Server-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7Server:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7Server:rubygem-bundler-0:1.7.8-3.el7.src",
"7Server:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7Server:rubygem-thor-0:0.19.1-1.el7.noarch",
"7Server:rubygem-thor-0:0.19.1-1.el7.src",
"7Server:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7Workstation-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7Workstation-optional:rubygem-bundler-0:1.7.8-3.el7.src",
"7Workstation-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7Workstation-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
"7Workstation-optional:rubygem-thor-0:0.19.1-1.el7.src",
"7Workstation-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
"7Workstation:rubygem-bundler-0:1.7.8-3.el7.noarch",
"7Workstation:rubygem-bundler-0:1.7.8-3.el7.src",
"7Workstation:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
"7Workstation:rubygem-thor-0:0.19.1-1.el7.noarch",
"7Workstation:rubygem-thor-0:0.19.1-1.el7.src",
"7Workstation:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "rubygem-bundler: \u0027bundle install\u0027 may install a gem from a source other than expected"
}
]
}
GSD-2013-0334
Vulnerability from gsd - Updated: 2014-08-13 00:00Details
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source. A flaw was found in the way Bundler handled gems available from multiple sources. An attacker with access to one of the sources could create a malicious gem with the same name, which they could then use to trick a user into installing, potentially resulting in execution of code from the attacker-supplied malicious gem.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-0334",
"description": "Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.",
"id": "GSD-2013-0334",
"references": [
"https://www.suse.com/security/cve/CVE-2013-0334.html",
"https://access.redhat.com/errata/RHSA-2015:2180",
"https://linux.oracle.com/cve/CVE-2013-0334.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "bundler",
"purl": "pkg:gem/bundler"
}
}
],
"aliases": [
"CVE-2013-0334",
"OSVDB-110004"
],
"details": "Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source. A flaw was found in the way Bundler handled gems available from multiple sources. An attacker with access to one of the sources could create a malicious gem with the same name, which they could then use to trick a user into installing, potentially resulting in execution of code from the attacker-supplied malicious gem.",
"id": "GSD-2013-0334",
"modified": "2014-08-13T00:00:00.000Z",
"published": "2014-08-13T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0334"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 5.0,
"type": "CVSS_V2"
}
],
"summary": "CVE-2013-0334 rubygem-bundler: \u0027bundle install\u0027 may install a gem from a source other than expected"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-0334",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "GLSA-201609-02",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201609-02"
},
{
"name": "FEDORA-2014-11649",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140609.html"
},
{
"name": "FEDORA-2014-11630",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140654.html"
},
{
"name": "http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html",
"refsource": "CONFIRM",
"url": "http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html"
},
{
"name": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"
},
{
"name": "FEDORA-2014-11677",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140655.html"
},
{
"name": "openSUSE-SU-2015:0628",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2015-03/msg00092.html"
},
{
"name": "70099",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/70099"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2013-0334",
"cvss_v2": 5.0,
"date": "2014-08-13",
"description": "Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source. A flaw was found in the way Bundler handled gems available from multiple sources. An attacker with access to one of the sources could create a malicious gem with the same name, which they could then use to trick a user into installing, potentially resulting in execution of code from the attacker-supplied malicious gem.",
"gem": "bundler",
"osvdb": 110004,
"patched_versions": [
"\u003e= 1.7.0"
],
"title": "CVE-2013-0334 rubygem-bundler: \u0027bundle install\u0027 may install a gem from a source other than expected",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0334"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c1.7.0",
"affected_versions": "All versions before 1.7.0",
"credit": "Andreas Loupasakis, Fotos Georgiadis\r\n",
"cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-20",
"CWE-937"
],
"date": "2019-07-16",
"description": "Any Gemfile with multiple top-level `source` lines cannot reliably control the gem server that a particular gem is fetched from. As a result, Bundler might install the wrong gem if more than one source provides a gem with the same name. This is especially possible in the case of Github\u0027s legacy gem server, hosted at gems.github.com. An attacker might create a malicious gem on Rubygems.org with the same name as a commonly-used Github gem. From that point forward, running `bundle install` might result in the malicious gem being used instead of the expected gem. ",
"fixed_versions": [
"1.7.0"
],
"identifier": "CVE-2013-0334",
"identifiers": [
"CVE-2013-0334"
],
"not_impacted": "All versions starting from 1.7.0",
"package_slug": "gem/bundler",
"pubdate": "2014-10-31",
"solution": "Upgrade to version 1.7.0 or above.",
"title": "Remote code execution",
"urls": [
"http://osvdb.org/show/osvdb/110004",
"https://groups.google.com/forum/#!topic/ruby-security-ann/Rms5sZhLxdo"
],
"uuid": "fcb7cb20-d8f5-446e-bcb1-6af25f40c432"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:bundler:bundler:*:*:*:*:*:ruby:*:*",
"cpe_name": [],
"versionEndExcluding": "1.7.0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:19:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-0334"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "FEDORA-2014-11630",
"refsource": "FEDORA",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140654.html"
},
{
"name": "FEDORA-2014-11677",
"refsource": "FEDORA",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140655.html"
},
{
"name": "FEDORA-2014-11649",
"refsource": "FEDORA",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140609.html"
},
{
"name": "http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html"
},
{
"name": "openSUSE-SU-2015:0628",
"refsource": "SUSE",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2015-03/msg00092.html"
},
{
"name": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"
},
{
"name": "70099",
"refsource": "BID",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/70099"
},
{
"name": "GLSA-201609-02",
"refsource": "GENTOO",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/201609-02"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2019-07-16T12:21Z",
"publishedDate": "2014-10-31T14:55Z"
}
}
}
GHSA-49JX-9CMC-XJXM
Vulnerability from github – Published: 2022-05-05 02:48 – Updated: 2023-03-20 19:50
VLAI?
Summary
Bundler may install gems from a different source than expected
Details
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "bundler"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2013-0334"
],
"database_specific": {
"cwe_ids": [
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-20T19:50:20Z",
"nvd_published_at": "2014-10-31T14:55:00Z",
"severity": "MODERATE"
},
"details": "Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.",
"id": "GHSA-49jx-9cmc-xjxm",
"modified": "2023-03-20T19:50:20Z",
"published": "2022-05-05T02:48:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0334"
},
{
"type": "PACKAGE",
"url": "https://github.com/rubygems/bundler"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bundler/CVE-2013-0334.yml"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201609-02"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20210122060358/https://www.securityfocus.com/bid/70099"
},
{
"type": "WEB",
"url": "http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140609.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140654.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140655.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2015-03/msg00092.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Bundler may install gems from a different source than expected"
}
Loading…
Show additional events:
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…