cvelistv5 - cve-2013-0334

CVE-2013-0334 (GCVE-0-2013-0334)

Vulnerability from cvelistv5 – Published: 2014-10-31 14:00 – Updated: 2024-08-06 14:25

Summary

Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

Severity ?

No CVSS data available.

CWE

Assigner

redhat

References

URL

RHSA-2015_2180

Vulnerability from csaf_redhat - Published: 2015-11-19 02:52 - Updated: 2024-11-22 09:05

Summary

Red Hat Security Advisory: rubygem-bundler and rubygem-thor security, bug fix, and enhancement update

Notes

Topic

Updated rubygem-bundler and rubygem-thor packages that fix one security issue, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Details

Bundler manages an application's dependencies through its entire life, across many machines, systematically and repeatably. Thor is a toolkit for building powerful command-line interfaces. A flaw was found in the way Bundler handled gems available from multiple sources. An attacker with access to one of the sources could create a malicious gem with the same name, which they could then use to trick a user into installing, potentially resulting in execution of code from the attacker-supplied malicious gem. (CVE-2013-0334) Bundler has been upgraded to upstream version 1.7.8 and Thor has been upgraded to upstream version 1.19.1, both of which provide a number of bug fixes and enhancements over the previous versions. (BZ#1194243, BZ#1209921) All rubygem-bundler and rubygem-thor users are advised to upgrade to these updated packages, which correct these issues and add these enhancements.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Updated rubygem-bundler and rubygem-thor packages that fix one security\nissue, several bugs, and add various enhancements are now available for Red\nHat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available from the CVE link in the\nReferences section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Bundler manages an application\u0027s dependencies through its entire life,\nacross many machines, systematically and repeatably. Thor is a toolkit for\nbuilding powerful command-line interfaces.\n\nA flaw was found in the way Bundler handled gems available from multiple\nsources. An attacker with access to one of the sources could create a\nmalicious gem with the same name, which they could then use to trick a user\ninto installing, potentially resulting in execution of code from the\nattacker-supplied malicious gem. (CVE-2013-0334)\n\nBundler has been upgraded to upstream version 1.7.8 and Thor has been\nupgraded to upstream version 1.19.1, both of which provide a number of bug\nfixes and enhancements over the previous versions. (BZ#1194243, BZ#1209921)\n\nAll rubygem-bundler and rubygem-thor users are advised to upgrade to these\nupdated packages, which correct these issues and add these enhancements.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2015:2180",
        "url": "https://access.redhat.com/errata/RHSA-2015:2180"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "1146335",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1146335"
      },
      {
        "category": "external",
        "summary": "1163076",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1163076"
      },
      {
        "category": "external",
        "summary": "1194243",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1194243"
      },
      {
        "category": "external",
        "summary": "1209921",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1209921"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_2180.json"
      }
    ],
    "title": "Red Hat Security Advisory: rubygem-bundler and rubygem-thor security, bug fix, and enhancement update",
    "tracking": {
      "current_release_date": "2024-11-22T09:05:31+00:00",
      "generator": {
        "date": "2024-11-22T09:05:31+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2015:2180",
      "initial_release_date": "2015-11-19T02:52:05+00:00",
      "revision_history": [
        {
          "date": "2015-11-19T02:52:05+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2015-11-19T02:52:05+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T09:05:31+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux Client (v. 7)",
                "product": {
                  "name": "Red Hat Enterprise Linux Client (v. 7)",
                  "product_id": "7Client",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:7::client"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux Client Optional (v. 7)",
                "product": {
                  "name": "Red Hat Enterprise Linux Client Optional (v. 7)",
                  "product_id": "7Client-optional",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:7::client"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux ComputeNode (v. 7)",
                "product": {
                  "name": "Red Hat Enterprise Linux ComputeNode (v. 7)",
                  "product_id": "7ComputeNode",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:7::computenode"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
                "product": {
                  "name": "Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
                  "product_id": "7ComputeNode-optional",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:7::computenode"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux Server (v. 7)",
                "product": {
                  "name": "Red Hat Enterprise Linux Server (v. 7)",
                  "product_id": "7Server",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:7::server"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux Server Optional (v. 7)",
                "product": {
                  "name": "Red Hat Enterprise Linux Server Optional (v. 7)",
                  "product_id": "7Server-optional",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:7::server"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux Workstation (v. 7)",
                "product": {
                  "name": "Red Hat Enterprise Linux Workstation (v. 7)",
                  "product_id": "7Workstation",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:7::workstation"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux Workstation Optional (v. 7)",
                "product": {
                  "name": "Red Hat Enterprise Linux Workstation Optional (v. 7)",
                  "product_id": "7Workstation-optional",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:7::workstation"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Enterprise Linux"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rubygem-thor-0:0.19.1-1.el7.src",
                "product": {
                  "name": "rubygem-thor-0:0.19.1-1.el7.src",
                  "product_id": "rubygem-thor-0:0.19.1-1.el7.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rubygem-thor@0.19.1-1.el7?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rubygem-bundler-0:1.7.8-3.el7.src",
                "product": {
                  "name": "rubygem-bundler-0:1.7.8-3.el7.src",
                  "product_id": "rubygem-bundler-0:1.7.8-3.el7.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rubygem-bundler@1.7.8-3.el7?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rubygem-thor-0:0.19.1-1.el7.noarch",
                "product": {
                  "name": "rubygem-thor-0:0.19.1-1.el7.noarch",
                  "product_id": "rubygem-thor-0:0.19.1-1.el7.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rubygem-thor@0.19.1-1.el7?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
                "product": {
                  "name": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
                  "product_id": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rubygem-thor-doc@0.19.1-1.el7?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rubygem-bundler-0:1.7.8-3.el7.noarch",
                "product": {
                  "name": "rubygem-bundler-0:1.7.8-3.el7.noarch",
                  "product_id": "rubygem-bundler-0:1.7.8-3.el7.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rubygem-bundler@1.7.8-3.el7?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
                "product": {
                  "name": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
                  "product_id": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rubygem-bundler-doc@1.7.8-3.el7?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
          "product_id": "7Client-optional:rubygem-bundler-0:1.7.8-3.el7.noarch"
        },
        "product_reference": "rubygem-bundler-0:1.7.8-3.el7.noarch",
        "relates_to_product_reference": "7Client-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-0:1.7.8-3.el7.src as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
          "product_id": "7Client-optional:rubygem-bundler-0:1.7.8-3.el7.src"
        },
        "product_reference": "rubygem-bundler-0:1.7.8-3.el7.src",
        "relates_to_product_reference": "7Client-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
          "product_id": "7Client-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch"
        },
        "product_reference": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
        "relates_to_product_reference": "7Client-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
          "product_id": "7Client-optional:rubygem-thor-0:0.19.1-1.el7.noarch"
        },
        "product_reference": "rubygem-thor-0:0.19.1-1.el7.noarch",
        "relates_to_product_reference": "7Client-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-0:0.19.1-1.el7.src as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
          "product_id": "7Client-optional:rubygem-thor-0:0.19.1-1.el7.src"
        },
        "product_reference": "rubygem-thor-0:0.19.1-1.el7.src",
        "relates_to_product_reference": "7Client-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-doc-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
          "product_id": "7Client-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
        },
        "product_reference": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
        "relates_to_product_reference": "7Client-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
          "product_id": "7Client:rubygem-bundler-0:1.7.8-3.el7.noarch"
        },
        "product_reference": "rubygem-bundler-0:1.7.8-3.el7.noarch",
        "relates_to_product_reference": "7Client"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-0:1.7.8-3.el7.src as a component of Red Hat Enterprise Linux Client (v. 7)",
          "product_id": "7Client:rubygem-bundler-0:1.7.8-3.el7.src"
        },
        "product_reference": "rubygem-bundler-0:1.7.8-3.el7.src",
        "relates_to_product_reference": "7Client"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
          "product_id": "7Client:rubygem-bundler-doc-0:1.7.8-3.el7.noarch"
        },
        "product_reference": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
        "relates_to_product_reference": "7Client"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
          "product_id": "7Client:rubygem-thor-0:0.19.1-1.el7.noarch"
        },
        "product_reference": "rubygem-thor-0:0.19.1-1.el7.noarch",
        "relates_to_product_reference": "7Client"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-0:0.19.1-1.el7.src as a component of Red Hat Enterprise Linux Client (v. 7)",
          "product_id": "7Client:rubygem-thor-0:0.19.1-1.el7.src"
        },
        "product_reference": "rubygem-thor-0:0.19.1-1.el7.src",
        "relates_to_product_reference": "7Client"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-doc-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
          "product_id": "7Client:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
        },
        "product_reference": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
        "relates_to_product_reference": "7Client"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
          "product_id": "7ComputeNode-optional:rubygem-bundler-0:1.7.8-3.el7.noarch"
        },
        "product_reference": "rubygem-bundler-0:1.7.8-3.el7.noarch",
        "relates_to_product_reference": "7ComputeNode-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-0:1.7.8-3.el7.src as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
          "product_id": "7ComputeNode-optional:rubygem-bundler-0:1.7.8-3.el7.src"
        },
        "product_reference": "rubygem-bundler-0:1.7.8-3.el7.src",
        "relates_to_product_reference": "7ComputeNode-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
          "product_id": "7ComputeNode-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch"
        },
        "product_reference": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
        "relates_to_product_reference": "7ComputeNode-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
          "product_id": "7ComputeNode-optional:rubygem-thor-0:0.19.1-1.el7.noarch"
        },
        "product_reference": "rubygem-thor-0:0.19.1-1.el7.noarch",
        "relates_to_product_reference": "7ComputeNode-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-0:0.19.1-1.el7.src as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
          "product_id": "7ComputeNode-optional:rubygem-thor-0:0.19.1-1.el7.src"
        },
        "product_reference": "rubygem-thor-0:0.19.1-1.el7.src",
        "relates_to_product_reference": "7ComputeNode-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-doc-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
          "product_id": "7ComputeNode-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
        },
        "product_reference": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
        "relates_to_product_reference": "7ComputeNode-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
          "product_id": "7ComputeNode:rubygem-bundler-0:1.7.8-3.el7.noarch"
        },
        "product_reference": "rubygem-bundler-0:1.7.8-3.el7.noarch",
        "relates_to_product_reference": "7ComputeNode"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-0:1.7.8-3.el7.src as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
          "product_id": "7ComputeNode:rubygem-bundler-0:1.7.8-3.el7.src"
        },
        "product_reference": "rubygem-bundler-0:1.7.8-3.el7.src",
        "relates_to_product_reference": "7ComputeNode"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
          "product_id": "7ComputeNode:rubygem-bundler-doc-0:1.7.8-3.el7.noarch"
        },
        "product_reference": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
        "relates_to_product_reference": "7ComputeNode"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
          "product_id": "7ComputeNode:rubygem-thor-0:0.19.1-1.el7.noarch"
        },
        "product_reference": "rubygem-thor-0:0.19.1-1.el7.noarch",
        "relates_to_product_reference": "7ComputeNode"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-0:0.19.1-1.el7.src as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
          "product_id": "7ComputeNode:rubygem-thor-0:0.19.1-1.el7.src"
        },
        "product_reference": "rubygem-thor-0:0.19.1-1.el7.src",
        "relates_to_product_reference": "7ComputeNode"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-doc-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
          "product_id": "7ComputeNode:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
        },
        "product_reference": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
        "relates_to_product_reference": "7ComputeNode"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
          "product_id": "7Server-optional:rubygem-bundler-0:1.7.8-3.el7.noarch"
        },
        "product_reference": "rubygem-bundler-0:1.7.8-3.el7.noarch",
        "relates_to_product_reference": "7Server-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-0:1.7.8-3.el7.src as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
          "product_id": "7Server-optional:rubygem-bundler-0:1.7.8-3.el7.src"
        },
        "product_reference": "rubygem-bundler-0:1.7.8-3.el7.src",
        "relates_to_product_reference": "7Server-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
          "product_id": "7Server-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch"
        },
        "product_reference": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
        "relates_to_product_reference": "7Server-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
          "product_id": "7Server-optional:rubygem-thor-0:0.19.1-1.el7.noarch"
        },
        "product_reference": "rubygem-thor-0:0.19.1-1.el7.noarch",
        "relates_to_product_reference": "7Server-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-0:0.19.1-1.el7.src as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
          "product_id": "7Server-optional:rubygem-thor-0:0.19.1-1.el7.src"
        },
        "product_reference": "rubygem-thor-0:0.19.1-1.el7.src",
        "relates_to_product_reference": "7Server-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-doc-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
          "product_id": "7Server-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
        },
        "product_reference": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
        "relates_to_product_reference": "7Server-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
          "product_id": "7Server:rubygem-bundler-0:1.7.8-3.el7.noarch"
        },
        "product_reference": "rubygem-bundler-0:1.7.8-3.el7.noarch",
        "relates_to_product_reference": "7Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-0:1.7.8-3.el7.src as a component of Red Hat Enterprise Linux Server (v. 7)",
          "product_id": "7Server:rubygem-bundler-0:1.7.8-3.el7.src"
        },
        "product_reference": "rubygem-bundler-0:1.7.8-3.el7.src",
        "relates_to_product_reference": "7Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
          "product_id": "7Server:rubygem-bundler-doc-0:1.7.8-3.el7.noarch"
        },
        "product_reference": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
        "relates_to_product_reference": "7Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
          "product_id": "7Server:rubygem-thor-0:0.19.1-1.el7.noarch"
        },
        "product_reference": "rubygem-thor-0:0.19.1-1.el7.noarch",
        "relates_to_product_reference": "7Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-0:0.19.1-1.el7.src as a component of Red Hat Enterprise Linux Server (v. 7)",
          "product_id": "7Server:rubygem-thor-0:0.19.1-1.el7.src"
        },
        "product_reference": "rubygem-thor-0:0.19.1-1.el7.src",
        "relates_to_product_reference": "7Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-doc-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
          "product_id": "7Server:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
        },
        "product_reference": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
        "relates_to_product_reference": "7Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
          "product_id": "7Workstation-optional:rubygem-bundler-0:1.7.8-3.el7.noarch"
        },
        "product_reference": "rubygem-bundler-0:1.7.8-3.el7.noarch",
        "relates_to_product_reference": "7Workstation-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-0:1.7.8-3.el7.src as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
          "product_id": "7Workstation-optional:rubygem-bundler-0:1.7.8-3.el7.src"
        },
        "product_reference": "rubygem-bundler-0:1.7.8-3.el7.src",
        "relates_to_product_reference": "7Workstation-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
          "product_id": "7Workstation-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch"
        },
        "product_reference": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
        "relates_to_product_reference": "7Workstation-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
          "product_id": "7Workstation-optional:rubygem-thor-0:0.19.1-1.el7.noarch"
        },
        "product_reference": "rubygem-thor-0:0.19.1-1.el7.noarch",
        "relates_to_product_reference": "7Workstation-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-0:0.19.1-1.el7.src as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
          "product_id": "7Workstation-optional:rubygem-thor-0:0.19.1-1.el7.src"
        },
        "product_reference": "rubygem-thor-0:0.19.1-1.el7.src",
        "relates_to_product_reference": "7Workstation-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-doc-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
          "product_id": "7Workstation-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
        },
        "product_reference": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
        "relates_to_product_reference": "7Workstation-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
          "product_id": "7Workstation:rubygem-bundler-0:1.7.8-3.el7.noarch"
        },
        "product_reference": "rubygem-bundler-0:1.7.8-3.el7.noarch",
        "relates_to_product_reference": "7Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-0:1.7.8-3.el7.src as a component of Red Hat Enterprise Linux Workstation (v. 7)",
          "product_id": "7Workstation:rubygem-bundler-0:1.7.8-3.el7.src"
        },
        "product_reference": "rubygem-bundler-0:1.7.8-3.el7.src",
        "relates_to_product_reference": "7Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
          "product_id": "7Workstation:rubygem-bundler-doc-0:1.7.8-3.el7.noarch"
        },
        "product_reference": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
        "relates_to_product_reference": "7Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
          "product_id": "7Workstation:rubygem-thor-0:0.19.1-1.el7.noarch"
        },
        "product_reference": "rubygem-thor-0:0.19.1-1.el7.noarch",
        "relates_to_product_reference": "7Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-0:0.19.1-1.el7.src as a component of Red Hat Enterprise Linux Workstation (v. 7)",
          "product_id": "7Workstation:rubygem-thor-0:0.19.1-1.el7.src"
        },
        "product_reference": "rubygem-thor-0:0.19.1-1.el7.src",
        "relates_to_product_reference": "7Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-doc-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
          "product_id": "7Workstation:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
        },
        "product_reference": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
        "relates_to_product_reference": "7Workstation"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2013-0334",
      "cwe": {
        "id": "CWE-345",
        "name": "Insufficient Verification of Data Authenticity"
      },
      "discovery_date": "2014-09-24T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1146335"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the way Bundler handled gems available from multiple sources. An attacker with access to one of the sources could create a malicious gem with the same name, which they could then use to trick a user into installing, potentially resulting in execution of code from the attacker-supplied malicious gem.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "rubygem-bundler: \u0027bundle install\u0027 may install a gem from a source other than expected",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Client-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
          "7Client-optional:rubygem-bundler-0:1.7.8-3.el7.src",
          "7Client-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
          "7Client-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
          "7Client-optional:rubygem-thor-0:0.19.1-1.el7.src",
          "7Client-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
          "7Client:rubygem-bundler-0:1.7.8-3.el7.noarch",
          "7Client:rubygem-bundler-0:1.7.8-3.el7.src",
          "7Client:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
          "7Client:rubygem-thor-0:0.19.1-1.el7.noarch",
          "7Client:rubygem-thor-0:0.19.1-1.el7.src",
          "7Client:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
          "7ComputeNode-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
          "7ComputeNode-optional:rubygem-bundler-0:1.7.8-3.el7.src",
          "7ComputeNode-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
          "7ComputeNode-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
          "7ComputeNode-optional:rubygem-thor-0:0.19.1-1.el7.src",
          "7ComputeNode-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
          "7ComputeNode:rubygem-bundler-0:1.7.8-3.el7.noarch",
          "7ComputeNode:rubygem-bundler-0:1.7.8-3.el7.src",
          "7ComputeNode:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
          "7ComputeNode:rubygem-thor-0:0.19.1-1.el7.noarch",
          "7ComputeNode:rubygem-thor-0:0.19.1-1.el7.src",
          "7ComputeNode:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
          "7Server-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
          "7Server-optional:rubygem-bundler-0:1.7.8-3.el7.src",
          "7Server-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
          "7Server-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
          "7Server-optional:rubygem-thor-0:0.19.1-1.el7.src",
          "7Server-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
          "7Server:rubygem-bundler-0:1.7.8-3.el7.noarch",
          "7Server:rubygem-bundler-0:1.7.8-3.el7.src",
          "7Server:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
          "7Server:rubygem-thor-0:0.19.1-1.el7.noarch",
          "7Server:rubygem-thor-0:0.19.1-1.el7.src",
          "7Server:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
          "7Workstation-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
          "7Workstation-optional:rubygem-bundler-0:1.7.8-3.el7.src",
          "7Workstation-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
          "7Workstation-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
          "7Workstation-optional:rubygem-thor-0:0.19.1-1.el7.src",
          "7Workstation-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
          "7Workstation:rubygem-bundler-0:1.7.8-3.el7.noarch",
          "7Workstation:rubygem-bundler-0:1.7.8-3.el7.src",
          "7Workstation:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
          "7Workstation:rubygem-thor-0:0.19.1-1.el7.noarch",
          "7Workstation:rubygem-thor-0:0.19.1-1.el7.src",
          "7Workstation:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2013-0334"
        },
        {
          "category": "external",
          "summary": "RHBZ#1146335",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1146335"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2013-0334",
          "url": "https://www.cve.org/CVERecord?id=CVE-2013-0334"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-0334",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0334"
        },
        {
          "category": "external",
          "summary": "http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html",
          "url": "http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html"
        }
      ],
      "release_date": "2014-08-14T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2015-11-19T02:52:05+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "7Client-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
            "7Client-optional:rubygem-bundler-0:1.7.8-3.el7.src",
            "7Client-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
            "7Client-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
            "7Client-optional:rubygem-thor-0:0.19.1-1.el7.src",
            "7Client-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
            "7Client:rubygem-bundler-0:1.7.8-3.el7.noarch",
            "7Client:rubygem-bundler-0:1.7.8-3.el7.src",
            "7Client:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
            "7Client:rubygem-thor-0:0.19.1-1.el7.noarch",
            "7Client:rubygem-thor-0:0.19.1-1.el7.src",
            "7Client:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
            "7ComputeNode-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
            "7ComputeNode-optional:rubygem-bundler-0:1.7.8-3.el7.src",
            "7ComputeNode-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
            "7ComputeNode-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
            "7ComputeNode-optional:rubygem-thor-0:0.19.1-1.el7.src",
            "7ComputeNode-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
            "7ComputeNode:rubygem-bundler-0:1.7.8-3.el7.noarch",
            "7ComputeNode:rubygem-bundler-0:1.7.8-3.el7.src",
            "7ComputeNode:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
            "7ComputeNode:rubygem-thor-0:0.19.1-1.el7.noarch",
            "7ComputeNode:rubygem-thor-0:0.19.1-1.el7.src",
            "7ComputeNode:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
            "7Server-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
            "7Server-optional:rubygem-bundler-0:1.7.8-3.el7.src",
            "7Server-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
            "7Server-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
            "7Server-optional:rubygem-thor-0:0.19.1-1.el7.src",
            "7Server-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
            "7Server:rubygem-bundler-0:1.7.8-3.el7.noarch",
            "7Server:rubygem-bundler-0:1.7.8-3.el7.src",
            "7Server:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
            "7Server:rubygem-thor-0:0.19.1-1.el7.noarch",
            "7Server:rubygem-thor-0:0.19.1-1.el7.src",
            "7Server:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
            "7Workstation-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
            "7Workstation-optional:rubygem-bundler-0:1.7.8-3.el7.src",
            "7Workstation-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
            "7Workstation-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
            "7Workstation-optional:rubygem-thor-0:0.19.1-1.el7.src",
            "7Workstation-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
            "7Workstation:rubygem-bundler-0:1.7.8-3.el7.noarch",
            "7Workstation:rubygem-bundler-0:1.7.8-3.el7.src",
            "7Workstation:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
            "7Workstation:rubygem-thor-0:0.19.1-1.el7.noarch",
            "7Workstation:rubygem-thor-0:0.19.1-1.el7.src",
            "7Workstation:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2015:2180"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.1,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "7Client-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
            "7Client-optional:rubygem-bundler-0:1.7.8-3.el7.src",
            "7Client-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
            "7Client-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
            "7Client-optional:rubygem-thor-0:0.19.1-1.el7.src",
            "7Client-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
            "7Client:rubygem-bundler-0:1.7.8-3.el7.noarch",
            "7Client:rubygem-bundler-0:1.7.8-3.el7.src",
            "7Client:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
            "7Client:rubygem-thor-0:0.19.1-1.el7.noarch",
            "7Client:rubygem-thor-0:0.19.1-1.el7.src",
            "7Client:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
            "7ComputeNode-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
            "7ComputeNode-optional:rubygem-bundler-0:1.7.8-3.el7.src",
            "7ComputeNode-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
            "7ComputeNode-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
            "7ComputeNode-optional:rubygem-thor-0:0.19.1-1.el7.src",
            "7ComputeNode-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
            "7ComputeNode:rubygem-bundler-0:1.7.8-3.el7.noarch",
            "7ComputeNode:rubygem-bundler-0:1.7.8-3.el7.src",
            "7ComputeNode:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
            "7ComputeNode:rubygem-thor-0:0.19.1-1.el7.noarch",
            "7ComputeNode:rubygem-thor-0:0.19.1-1.el7.src",
            "7ComputeNode:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
            "7Server-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
            "7Server-optional:rubygem-bundler-0:1.7.8-3.el7.src",
            "7Server-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
            "7Server-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
            "7Server-optional:rubygem-thor-0:0.19.1-1.el7.src",
            "7Server-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
            "7Server:rubygem-bundler-0:1.7.8-3.el7.noarch",
            "7Server:rubygem-bundler-0:1.7.8-3.el7.src",
            "7Server:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
            "7Server:rubygem-thor-0:0.19.1-1.el7.noarch",
            "7Server:rubygem-thor-0:0.19.1-1.el7.src",
            "7Server:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
            "7Workstation-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
            "7Workstation-optional:rubygem-bundler-0:1.7.8-3.el7.src",
            "7Workstation-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
            "7Workstation-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
            "7Workstation-optional:rubygem-thor-0:0.19.1-1.el7.src",
            "7Workstation-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
            "7Workstation:rubygem-bundler-0:1.7.8-3.el7.noarch",
            "7Workstation:rubygem-bundler-0:1.7.8-3.el7.src",
            "7Workstation:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
            "7Workstation:rubygem-thor-0:0.19.1-1.el7.noarch",
            "7Workstation:rubygem-thor-0:0.19.1-1.el7.src",
            "7Workstation:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "rubygem-bundler: \u0027bundle install\u0027 may install a gem from a source other than expected"
    }
  ]
}

RHSA-2015:2180

Vulnerability from csaf_redhat - Published: 2015-11-19 02:52 - Updated: 2025-11-21 17:54

Summary

Red Hat Security Advisory: rubygem-bundler and rubygem-thor security, bug fix, and enhancement update

Notes

Topic

Details

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Updated rubygem-bundler and rubygem-thor packages that fix one security\nissue, several bugs, and add various enhancements are now available for Red\nHat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available from the CVE link in the\nReferences section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Bundler manages an application\u0027s dependencies through its entire life,\nacross many machines, systematically and repeatably. Thor is a toolkit for\nbuilding powerful command-line interfaces.\n\nA flaw was found in the way Bundler handled gems available from multiple\nsources. An attacker with access to one of the sources could create a\nmalicious gem with the same name, which they could then use to trick a user\ninto installing, potentially resulting in execution of code from the\nattacker-supplied malicious gem. (CVE-2013-0334)\n\nBundler has been upgraded to upstream version 1.7.8 and Thor has been\nupgraded to upstream version 1.19.1, both of which provide a number of bug\nfixes and enhancements over the previous versions. (BZ#1194243, BZ#1209921)\n\nAll rubygem-bundler and rubygem-thor users are advised to upgrade to these\nupdated packages, which correct these issues and add these enhancements.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2015:2180",
        "url": "https://access.redhat.com/errata/RHSA-2015:2180"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "1146335",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1146335"
      },
      {
        "category": "external",
        "summary": "1163076",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1163076"
      },
      {
        "category": "external",
        "summary": "1194243",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1194243"
      },
      {
        "category": "external",
        "summary": "1209921",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1209921"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_2180.json"
      }
    ],
    "title": "Red Hat Security Advisory: rubygem-bundler and rubygem-thor security, bug fix, and enhancement update",
    "tracking": {
      "current_release_date": "2025-11-21T17:54:05+00:00",
      "generator": {
        "date": "2025-11-21T17:54:05+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.12"
        }
      },
      "id": "RHSA-2015:2180",
      "initial_release_date": "2015-11-19T02:52:05+00:00",
      "revision_history": [
        {
          "date": "2015-11-19T02:52:05+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2015-11-19T02:52:05+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-11-21T17:54:05+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux Client (v. 7)",
                "product": {
                  "name": "Red Hat Enterprise Linux Client (v. 7)",
                  "product_id": "7Client",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:7::client"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux Client Optional (v. 7)",
                "product": {
                  "name": "Red Hat Enterprise Linux Client Optional (v. 7)",
                  "product_id": "7Client-optional",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:7::client"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux ComputeNode (v. 7)",
                "product": {
                  "name": "Red Hat Enterprise Linux ComputeNode (v. 7)",
                  "product_id": "7ComputeNode",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:7::computenode"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
                "product": {
                  "name": "Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
                  "product_id": "7ComputeNode-optional",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:7::computenode"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux Server (v. 7)",
                "product": {
                  "name": "Red Hat Enterprise Linux Server (v. 7)",
                  "product_id": "7Server",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:7::server"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux Server Optional (v. 7)",
                "product": {
                  "name": "Red Hat Enterprise Linux Server Optional (v. 7)",
                  "product_id": "7Server-optional",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:7::server"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux Workstation (v. 7)",
                "product": {
                  "name": "Red Hat Enterprise Linux Workstation (v. 7)",
                  "product_id": "7Workstation",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:7::workstation"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux Workstation Optional (v. 7)",
                "product": {
                  "name": "Red Hat Enterprise Linux Workstation Optional (v. 7)",
                  "product_id": "7Workstation-optional",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:7::workstation"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Enterprise Linux"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rubygem-thor-0:0.19.1-1.el7.src",
                "product": {
                  "name": "rubygem-thor-0:0.19.1-1.el7.src",
                  "product_id": "rubygem-thor-0:0.19.1-1.el7.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rubygem-thor@0.19.1-1.el7?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rubygem-bundler-0:1.7.8-3.el7.src",
                "product": {
                  "name": "rubygem-bundler-0:1.7.8-3.el7.src",
                  "product_id": "rubygem-bundler-0:1.7.8-3.el7.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rubygem-bundler@1.7.8-3.el7?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rubygem-thor-0:0.19.1-1.el7.noarch",
                "product": {
                  "name": "rubygem-thor-0:0.19.1-1.el7.noarch",
                  "product_id": "rubygem-thor-0:0.19.1-1.el7.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rubygem-thor@0.19.1-1.el7?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
                "product": {
                  "name": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
                  "product_id": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rubygem-thor-doc@0.19.1-1.el7?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rubygem-bundler-0:1.7.8-3.el7.noarch",
                "product": {
                  "name": "rubygem-bundler-0:1.7.8-3.el7.noarch",
                  "product_id": "rubygem-bundler-0:1.7.8-3.el7.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rubygem-bundler@1.7.8-3.el7?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
                "product": {
                  "name": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
                  "product_id": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rubygem-bundler-doc@1.7.8-3.el7?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
          "product_id": "7Client-optional:rubygem-bundler-0:1.7.8-3.el7.noarch"
        },
        "product_reference": "rubygem-bundler-0:1.7.8-3.el7.noarch",
        "relates_to_product_reference": "7Client-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-0:1.7.8-3.el7.src as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
          "product_id": "7Client-optional:rubygem-bundler-0:1.7.8-3.el7.src"
        },
        "product_reference": "rubygem-bundler-0:1.7.8-3.el7.src",
        "relates_to_product_reference": "7Client-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
          "product_id": "7Client-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch"
        },
        "product_reference": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
        "relates_to_product_reference": "7Client-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
          "product_id": "7Client-optional:rubygem-thor-0:0.19.1-1.el7.noarch"
        },
        "product_reference": "rubygem-thor-0:0.19.1-1.el7.noarch",
        "relates_to_product_reference": "7Client-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-0:0.19.1-1.el7.src as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
          "product_id": "7Client-optional:rubygem-thor-0:0.19.1-1.el7.src"
        },
        "product_reference": "rubygem-thor-0:0.19.1-1.el7.src",
        "relates_to_product_reference": "7Client-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-doc-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
          "product_id": "7Client-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
        },
        "product_reference": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
        "relates_to_product_reference": "7Client-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
          "product_id": "7Client:rubygem-bundler-0:1.7.8-3.el7.noarch"
        },
        "product_reference": "rubygem-bundler-0:1.7.8-3.el7.noarch",
        "relates_to_product_reference": "7Client"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-0:1.7.8-3.el7.src as a component of Red Hat Enterprise Linux Client (v. 7)",
          "product_id": "7Client:rubygem-bundler-0:1.7.8-3.el7.src"
        },
        "product_reference": "rubygem-bundler-0:1.7.8-3.el7.src",
        "relates_to_product_reference": "7Client"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
          "product_id": "7Client:rubygem-bundler-doc-0:1.7.8-3.el7.noarch"
        },
        "product_reference": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
        "relates_to_product_reference": "7Client"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
          "product_id": "7Client:rubygem-thor-0:0.19.1-1.el7.noarch"
        },
        "product_reference": "rubygem-thor-0:0.19.1-1.el7.noarch",
        "relates_to_product_reference": "7Client"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-0:0.19.1-1.el7.src as a component of Red Hat Enterprise Linux Client (v. 7)",
          "product_id": "7Client:rubygem-thor-0:0.19.1-1.el7.src"
        },
        "product_reference": "rubygem-thor-0:0.19.1-1.el7.src",
        "relates_to_product_reference": "7Client"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-doc-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
          "product_id": "7Client:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
        },
        "product_reference": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
        "relates_to_product_reference": "7Client"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
          "product_id": "7ComputeNode-optional:rubygem-bundler-0:1.7.8-3.el7.noarch"
        },
        "product_reference": "rubygem-bundler-0:1.7.8-3.el7.noarch",
        "relates_to_product_reference": "7ComputeNode-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-0:1.7.8-3.el7.src as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
          "product_id": "7ComputeNode-optional:rubygem-bundler-0:1.7.8-3.el7.src"
        },
        "product_reference": "rubygem-bundler-0:1.7.8-3.el7.src",
        "relates_to_product_reference": "7ComputeNode-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
          "product_id": "7ComputeNode-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch"
        },
        "product_reference": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
        "relates_to_product_reference": "7ComputeNode-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
          "product_id": "7ComputeNode-optional:rubygem-thor-0:0.19.1-1.el7.noarch"
        },
        "product_reference": "rubygem-thor-0:0.19.1-1.el7.noarch",
        "relates_to_product_reference": "7ComputeNode-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-0:0.19.1-1.el7.src as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
          "product_id": "7ComputeNode-optional:rubygem-thor-0:0.19.1-1.el7.src"
        },
        "product_reference": "rubygem-thor-0:0.19.1-1.el7.src",
        "relates_to_product_reference": "7ComputeNode-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-doc-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
          "product_id": "7ComputeNode-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
        },
        "product_reference": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
        "relates_to_product_reference": "7ComputeNode-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
          "product_id": "7ComputeNode:rubygem-bundler-0:1.7.8-3.el7.noarch"
        },
        "product_reference": "rubygem-bundler-0:1.7.8-3.el7.noarch",
        "relates_to_product_reference": "7ComputeNode"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-0:1.7.8-3.el7.src as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
          "product_id": "7ComputeNode:rubygem-bundler-0:1.7.8-3.el7.src"
        },
        "product_reference": "rubygem-bundler-0:1.7.8-3.el7.src",
        "relates_to_product_reference": "7ComputeNode"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
          "product_id": "7ComputeNode:rubygem-bundler-doc-0:1.7.8-3.el7.noarch"
        },
        "product_reference": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
        "relates_to_product_reference": "7ComputeNode"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
          "product_id": "7ComputeNode:rubygem-thor-0:0.19.1-1.el7.noarch"
        },
        "product_reference": "rubygem-thor-0:0.19.1-1.el7.noarch",
        "relates_to_product_reference": "7ComputeNode"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-0:0.19.1-1.el7.src as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
          "product_id": "7ComputeNode:rubygem-thor-0:0.19.1-1.el7.src"
        },
        "product_reference": "rubygem-thor-0:0.19.1-1.el7.src",
        "relates_to_product_reference": "7ComputeNode"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-doc-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
          "product_id": "7ComputeNode:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
        },
        "product_reference": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
        "relates_to_product_reference": "7ComputeNode"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
          "product_id": "7Server-optional:rubygem-bundler-0:1.7.8-3.el7.noarch"
        },
        "product_reference": "rubygem-bundler-0:1.7.8-3.el7.noarch",
        "relates_to_product_reference": "7Server-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-0:1.7.8-3.el7.src as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
          "product_id": "7Server-optional:rubygem-bundler-0:1.7.8-3.el7.src"
        },
        "product_reference": "rubygem-bundler-0:1.7.8-3.el7.src",
        "relates_to_product_reference": "7Server-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
          "product_id": "7Server-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch"
        },
        "product_reference": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
        "relates_to_product_reference": "7Server-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
          "product_id": "7Server-optional:rubygem-thor-0:0.19.1-1.el7.noarch"
        },
        "product_reference": "rubygem-thor-0:0.19.1-1.el7.noarch",
        "relates_to_product_reference": "7Server-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-0:0.19.1-1.el7.src as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
          "product_id": "7Server-optional:rubygem-thor-0:0.19.1-1.el7.src"
        },
        "product_reference": "rubygem-thor-0:0.19.1-1.el7.src",
        "relates_to_product_reference": "7Server-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-doc-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
          "product_id": "7Server-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
        },
        "product_reference": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
        "relates_to_product_reference": "7Server-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
          "product_id": "7Server:rubygem-bundler-0:1.7.8-3.el7.noarch"
        },
        "product_reference": "rubygem-bundler-0:1.7.8-3.el7.noarch",
        "relates_to_product_reference": "7Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-0:1.7.8-3.el7.src as a component of Red Hat Enterprise Linux Server (v. 7)",
          "product_id": "7Server:rubygem-bundler-0:1.7.8-3.el7.src"
        },
        "product_reference": "rubygem-bundler-0:1.7.8-3.el7.src",
        "relates_to_product_reference": "7Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
          "product_id": "7Server:rubygem-bundler-doc-0:1.7.8-3.el7.noarch"
        },
        "product_reference": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
        "relates_to_product_reference": "7Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
          "product_id": "7Server:rubygem-thor-0:0.19.1-1.el7.noarch"
        },
        "product_reference": "rubygem-thor-0:0.19.1-1.el7.noarch",
        "relates_to_product_reference": "7Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-0:0.19.1-1.el7.src as a component of Red Hat Enterprise Linux Server (v. 7)",
          "product_id": "7Server:rubygem-thor-0:0.19.1-1.el7.src"
        },
        "product_reference": "rubygem-thor-0:0.19.1-1.el7.src",
        "relates_to_product_reference": "7Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-doc-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
          "product_id": "7Server:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
        },
        "product_reference": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
        "relates_to_product_reference": "7Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
          "product_id": "7Workstation-optional:rubygem-bundler-0:1.7.8-3.el7.noarch"
        },
        "product_reference": "rubygem-bundler-0:1.7.8-3.el7.noarch",
        "relates_to_product_reference": "7Workstation-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-0:1.7.8-3.el7.src as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
          "product_id": "7Workstation-optional:rubygem-bundler-0:1.7.8-3.el7.src"
        },
        "product_reference": "rubygem-bundler-0:1.7.8-3.el7.src",
        "relates_to_product_reference": "7Workstation-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
          "product_id": "7Workstation-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch"
        },
        "product_reference": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
        "relates_to_product_reference": "7Workstation-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
          "product_id": "7Workstation-optional:rubygem-thor-0:0.19.1-1.el7.noarch"
        },
        "product_reference": "rubygem-thor-0:0.19.1-1.el7.noarch",
        "relates_to_product_reference": "7Workstation-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-0:0.19.1-1.el7.src as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
          "product_id": "7Workstation-optional:rubygem-thor-0:0.19.1-1.el7.src"
        },
        "product_reference": "rubygem-thor-0:0.19.1-1.el7.src",
        "relates_to_product_reference": "7Workstation-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-doc-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
          "product_id": "7Workstation-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
        },
        "product_reference": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
        "relates_to_product_reference": "7Workstation-optional"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
          "product_id": "7Workstation:rubygem-bundler-0:1.7.8-3.el7.noarch"
        },
        "product_reference": "rubygem-bundler-0:1.7.8-3.el7.noarch",
        "relates_to_product_reference": "7Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-0:1.7.8-3.el7.src as a component of Red Hat Enterprise Linux Workstation (v. 7)",
          "product_id": "7Workstation:rubygem-bundler-0:1.7.8-3.el7.src"
        },
        "product_reference": "rubygem-bundler-0:1.7.8-3.el7.src",
        "relates_to_product_reference": "7Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
          "product_id": "7Workstation:rubygem-bundler-doc-0:1.7.8-3.el7.noarch"
        },
        "product_reference": "rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
        "relates_to_product_reference": "7Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
          "product_id": "7Workstation:rubygem-thor-0:0.19.1-1.el7.noarch"
        },
        "product_reference": "rubygem-thor-0:0.19.1-1.el7.noarch",
        "relates_to_product_reference": "7Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-0:0.19.1-1.el7.src as a component of Red Hat Enterprise Linux Workstation (v. 7)",
          "product_id": "7Workstation:rubygem-thor-0:0.19.1-1.el7.src"
        },
        "product_reference": "rubygem-thor-0:0.19.1-1.el7.src",
        "relates_to_product_reference": "7Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-thor-doc-0:0.19.1-1.el7.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
          "product_id": "7Workstation:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
        },
        "product_reference": "rubygem-thor-doc-0:0.19.1-1.el7.noarch",
        "relates_to_product_reference": "7Workstation"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2013-0334",
      "cwe": {
        "id": "CWE-345",
        "name": "Insufficient Verification of Data Authenticity"
      },
      "discovery_date": "2014-09-24T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1146335"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the way Bundler handled gems available from multiple sources. An attacker with access to one of the sources could create a malicious gem with the same name, which they could then use to trick a user into installing, potentially resulting in execution of code from the attacker-supplied malicious gem.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "rubygem-bundler: \u0027bundle install\u0027 may install a gem from a source other than expected",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Client-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
          "7Client-optional:rubygem-bundler-0:1.7.8-3.el7.src",
          "7Client-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
          "7Client-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
          "7Client-optional:rubygem-thor-0:0.19.1-1.el7.src",
          "7Client-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
          "7Client:rubygem-bundler-0:1.7.8-3.el7.noarch",
          "7Client:rubygem-bundler-0:1.7.8-3.el7.src",
          "7Client:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
          "7Client:rubygem-thor-0:0.19.1-1.el7.noarch",
          "7Client:rubygem-thor-0:0.19.1-1.el7.src",
          "7Client:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
          "7ComputeNode-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
          "7ComputeNode-optional:rubygem-bundler-0:1.7.8-3.el7.src",
          "7ComputeNode-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
          "7ComputeNode-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
          "7ComputeNode-optional:rubygem-thor-0:0.19.1-1.el7.src",
          "7ComputeNode-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
          "7ComputeNode:rubygem-bundler-0:1.7.8-3.el7.noarch",
          "7ComputeNode:rubygem-bundler-0:1.7.8-3.el7.src",
          "7ComputeNode:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
          "7ComputeNode:rubygem-thor-0:0.19.1-1.el7.noarch",
          "7ComputeNode:rubygem-thor-0:0.19.1-1.el7.src",
          "7ComputeNode:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
          "7Server-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
          "7Server-optional:rubygem-bundler-0:1.7.8-3.el7.src",
          "7Server-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
          "7Server-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
          "7Server-optional:rubygem-thor-0:0.19.1-1.el7.src",
          "7Server-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
          "7Server:rubygem-bundler-0:1.7.8-3.el7.noarch",
          "7Server:rubygem-bundler-0:1.7.8-3.el7.src",
          "7Server:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
          "7Server:rubygem-thor-0:0.19.1-1.el7.noarch",
          "7Server:rubygem-thor-0:0.19.1-1.el7.src",
          "7Server:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
          "7Workstation-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
          "7Workstation-optional:rubygem-bundler-0:1.7.8-3.el7.src",
          "7Workstation-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
          "7Workstation-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
          "7Workstation-optional:rubygem-thor-0:0.19.1-1.el7.src",
          "7Workstation-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
          "7Workstation:rubygem-bundler-0:1.7.8-3.el7.noarch",
          "7Workstation:rubygem-bundler-0:1.7.8-3.el7.src",
          "7Workstation:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
          "7Workstation:rubygem-thor-0:0.19.1-1.el7.noarch",
          "7Workstation:rubygem-thor-0:0.19.1-1.el7.src",
          "7Workstation:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2013-0334"
        },
        {
          "category": "external",
          "summary": "RHBZ#1146335",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1146335"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2013-0334",
          "url": "https://www.cve.org/CVERecord?id=CVE-2013-0334"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-0334",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0334"
        },
        {
          "category": "external",
          "summary": "http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html",
          "url": "http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html"
        }
      ],
      "release_date": "2014-08-14T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2015-11-19T02:52:05+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "7Client-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
            "7Client-optional:rubygem-bundler-0:1.7.8-3.el7.src",
            "7Client-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
            "7Client-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
            "7Client-optional:rubygem-thor-0:0.19.1-1.el7.src",
            "7Client-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
            "7Client:rubygem-bundler-0:1.7.8-3.el7.noarch",
            "7Client:rubygem-bundler-0:1.7.8-3.el7.src",
            "7Client:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
            "7Client:rubygem-thor-0:0.19.1-1.el7.noarch",
            "7Client:rubygem-thor-0:0.19.1-1.el7.src",
            "7Client:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
            "7ComputeNode-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
            "7ComputeNode-optional:rubygem-bundler-0:1.7.8-3.el7.src",
            "7ComputeNode-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
            "7ComputeNode-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
            "7ComputeNode-optional:rubygem-thor-0:0.19.1-1.el7.src",
            "7ComputeNode-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
            "7ComputeNode:rubygem-bundler-0:1.7.8-3.el7.noarch",
            "7ComputeNode:rubygem-bundler-0:1.7.8-3.el7.src",
            "7ComputeNode:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
            "7ComputeNode:rubygem-thor-0:0.19.1-1.el7.noarch",
            "7ComputeNode:rubygem-thor-0:0.19.1-1.el7.src",
            "7ComputeNode:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
            "7Server-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
            "7Server-optional:rubygem-bundler-0:1.7.8-3.el7.src",
            "7Server-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
            "7Server-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
            "7Server-optional:rubygem-thor-0:0.19.1-1.el7.src",
            "7Server-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
            "7Server:rubygem-bundler-0:1.7.8-3.el7.noarch",
            "7Server:rubygem-bundler-0:1.7.8-3.el7.src",
            "7Server:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
            "7Server:rubygem-thor-0:0.19.1-1.el7.noarch",
            "7Server:rubygem-thor-0:0.19.1-1.el7.src",
            "7Server:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
            "7Workstation-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
            "7Workstation-optional:rubygem-bundler-0:1.7.8-3.el7.src",
            "7Workstation-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
            "7Workstation-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
            "7Workstation-optional:rubygem-thor-0:0.19.1-1.el7.src",
            "7Workstation-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
            "7Workstation:rubygem-bundler-0:1.7.8-3.el7.noarch",
            "7Workstation:rubygem-bundler-0:1.7.8-3.el7.src",
            "7Workstation:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
            "7Workstation:rubygem-thor-0:0.19.1-1.el7.noarch",
            "7Workstation:rubygem-thor-0:0.19.1-1.el7.src",
            "7Workstation:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2015:2180"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.1,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "7Client-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
            "7Client-optional:rubygem-bundler-0:1.7.8-3.el7.src",
            "7Client-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
            "7Client-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
            "7Client-optional:rubygem-thor-0:0.19.1-1.el7.src",
            "7Client-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
            "7Client:rubygem-bundler-0:1.7.8-3.el7.noarch",
            "7Client:rubygem-bundler-0:1.7.8-3.el7.src",
            "7Client:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
            "7Client:rubygem-thor-0:0.19.1-1.el7.noarch",
            "7Client:rubygem-thor-0:0.19.1-1.el7.src",
            "7Client:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
            "7ComputeNode-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
            "7ComputeNode-optional:rubygem-bundler-0:1.7.8-3.el7.src",
            "7ComputeNode-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
            "7ComputeNode-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
            "7ComputeNode-optional:rubygem-thor-0:0.19.1-1.el7.src",
            "7ComputeNode-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
            "7ComputeNode:rubygem-bundler-0:1.7.8-3.el7.noarch",
            "7ComputeNode:rubygem-bundler-0:1.7.8-3.el7.src",
            "7ComputeNode:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
            "7ComputeNode:rubygem-thor-0:0.19.1-1.el7.noarch",
            "7ComputeNode:rubygem-thor-0:0.19.1-1.el7.src",
            "7ComputeNode:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
            "7Server-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
            "7Server-optional:rubygem-bundler-0:1.7.8-3.el7.src",
            "7Server-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
            "7Server-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
            "7Server-optional:rubygem-thor-0:0.19.1-1.el7.src",
            "7Server-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
            "7Server:rubygem-bundler-0:1.7.8-3.el7.noarch",
            "7Server:rubygem-bundler-0:1.7.8-3.el7.src",
            "7Server:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
            "7Server:rubygem-thor-0:0.19.1-1.el7.noarch",
            "7Server:rubygem-thor-0:0.19.1-1.el7.src",
            "7Server:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
            "7Workstation-optional:rubygem-bundler-0:1.7.8-3.el7.noarch",
            "7Workstation-optional:rubygem-bundler-0:1.7.8-3.el7.src",
            "7Workstation-optional:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
            "7Workstation-optional:rubygem-thor-0:0.19.1-1.el7.noarch",
            "7Workstation-optional:rubygem-thor-0:0.19.1-1.el7.src",
            "7Workstation-optional:rubygem-thor-doc-0:0.19.1-1.el7.noarch",
            "7Workstation:rubygem-bundler-0:1.7.8-3.el7.noarch",
            "7Workstation:rubygem-bundler-0:1.7.8-3.el7.src",
            "7Workstation:rubygem-bundler-doc-0:1.7.8-3.el7.noarch",
            "7Workstation:rubygem-thor-0:0.19.1-1.el7.noarch",
            "7Workstation:rubygem-thor-0:0.19.1-1.el7.src",
            "7Workstation:rubygem-thor-doc-0:0.19.1-1.el7.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "rubygem-bundler: \u0027bundle install\u0027 may install a gem from a source other than expected"
    }
  ]
}

SUSE-SU-2015:0795-1

Vulnerability from csaf_suse - Published: 2015-03-11 16:15 - Updated: 2015-03-11 16:15

Summary

Security update for rubygem-bundler

Notes

Title of the patch

Security update for rubygem-bundler

Description of the patch

The Rubygem Bundler was updated to version 1.7.0. Bundler 1.7 is a security-only release to address CVE-2013-0334, a vulnerability where a gem might be installed from an unintended source server, particularly while using both rubygems.org and gems.github.com. Upstream changes entry with more explanations: Any Gemfile with multiple top-level source lines cannot reliably control the gem server that a particular gem is fetched from. As a result, Bundler might install the wrong gem if more than one source provides a gem with the same name. This is especially possible in the case of Github's legacy gem server, hosted at gems.github.com. An attacker might create a malicious gem on Rubygems.org with the same name as a commonly-used Github gem. From that point forward, running bundle install might result in the malicious gem being used instead of the expected gem. To mitigate this, the Bundler and Rubygems.org teams worked together to copy almost every gem hosted on gems.github.com to rubygems.org, reducing the number of gems that can be used for such an attack. Resolution: To resolve this issue, upgrade to Bundler 1.7 by running gem install bundler. The next time you run bundle install for any Gemfile that contains multiple sources, each gem available from multiple sources will print a warning. For every warning printed, edit the Gemfile to either specify a :source option for that gem, or move the gem line into a block that is passed to a source method call. For detailed information about the changes to how sources are handled in Bundler version 1.7, see the release announcement. Security Issues: * CVE-2013-0334 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0334>

Patchnames

sdksp3-rubygem-bundler,sleclo40sp3-rubygem-bundler,slehasp3-rubygem-bundler,sleslms13-rubygem-bundler,slestso13-rubygem-bundler,slestso13-rubygem-bundler19,slewyst13-rubygem-bundler

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for rubygem-bundler",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "\nThe Rubygem Bundler was updated to version 1.7.0.\n\nBundler 1.7 is a security-only release to address CVE-2013-0334, a \nvulnerability where a gem might be installed from an unintended source \nserver, particularly while using both rubygems.org and gems.github.com.\n\nUpstream changes entry with more explanations:\n\nAny Gemfile with multiple top-level source lines cannot reliably control \nthe gem server that a particular gem is fetched from. As a result, Bundler \nmight install the wrong gem if more than one source provides a gem with the \nsame name.\n\nThis is especially possible in the case of Github\u0027s legacy gem server, \nhosted at gems.github.com. An attacker might create a malicious gem on \nRubygems.org with the same name as a commonly-used Github gem. From that \npoint forward, running bundle install might result in the malicious gem \nbeing used instead of the expected gem.\n\nTo mitigate this, the Bundler and Rubygems.org teams worked together to \ncopy almost every gem hosted on gems.github.com to rubygems.org, reducing \nthe number of gems that can be used for such an attack.\n\nResolution:\n\nTo resolve this issue, upgrade to Bundler 1.7 by running gem install \nbundler. The next time you run bundle install for any Gemfile that contains \nmultiple sources, each gem available from multiple sources will print a \nwarning.\n\nFor every warning printed, edit the Gemfile to either specify a :source \noption for that gem, or move the gem line into a block that is passed to a \nsource method call.\n\nFor detailed information about the changes to how sources are handled in \nBundler version 1.7, see the release announcement.\n\nSecurity Issues:\n\n    * CVE-2013-0334\n      \u003chttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0334\u003e\n\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "sdksp3-rubygem-bundler,sleclo40sp3-rubygem-bundler,slehasp3-rubygem-bundler,sleslms13-rubygem-bundler,slestso13-rubygem-bundler,slestso13-rubygem-bundler19,slewyst13-rubygem-bundler",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2015_0795-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2015:0795-1",
        "url": "https://www.suse.com/support/update/announcement/2015/suse-su-20150795-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2015:0795-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2015-April/001365.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 898205",
        "url": "https://bugzilla.suse.com/898205"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2013-0334 page",
        "url": "https://www.suse.com/security/cve/CVE-2013-0334/"
      }
    ],
    "title": "Security update for rubygem-bundler",
    "tracking": {
      "current_release_date": "2015-03-11T16:15:22Z",
      "generator": {
        "date": "2015-03-11T16:15:22Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2015:0795-1",
      "initial_release_date": "2015-03-11T16:15:22Z",
      "revision_history": [
        {
          "date": "2015-03-11T16:15:22Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rubygem-bundler-1.7.0-0.7.1.i586",
                "product": {
                  "name": "rubygem-bundler-1.7.0-0.7.1.i586",
                  "product_id": "rubygem-bundler-1.7.0-0.7.1.i586"
                }
              }
            ],
            "category": "architecture",
            "name": "i586"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rubygem-bundler-1.7.0-0.7.1.ia64",
                "product": {
                  "name": "rubygem-bundler-1.7.0-0.7.1.ia64",
                  "product_id": "rubygem-bundler-1.7.0-0.7.1.ia64"
                }
              }
            ],
            "category": "architecture",
            "name": "ia64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rubygem-bundler-1.7.0-0.7.1.ppc64",
                "product": {
                  "name": "rubygem-bundler-1.7.0-0.7.1.ppc64",
                  "product_id": "rubygem-bundler-1.7.0-0.7.1.ppc64"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rubygem-bundler-1.7.0-0.7.1.s390x",
                "product": {
                  "name": "rubygem-bundler-1.7.0-0.7.1.s390x",
                  "product_id": "rubygem-bundler-1.7.0-0.7.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rubygem-bundler-1.7.0-0.7.1.x86_64",
                "product": {
                  "name": "rubygem-bundler-1.7.0-0.7.1.x86_64",
                  "product_id": "rubygem-bundler-1.7.0-0.7.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "rubygem-bundler19-1.7.0-0.12.1.x86_64",
                "product": {
                  "name": "rubygem-bundler19-1.7.0-0.12.1.x86_64",
                  "product_id": "rubygem-bundler19-1.7.0-0.12.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Software Development Kit 11 SP3",
                "product": {
                  "name": "SUSE Linux Enterprise Software Development Kit 11 SP3",
                  "product_id": "SUSE Linux Enterprise Software Development Kit 11 SP3",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:suse:sle-sdk:11:sp3"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE OpenStack Cloud 4",
                "product": {
                  "name": "SUSE OpenStack Cloud 4",
                  "product_id": "SUSE OpenStack Cloud 4",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:cloud:4"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise High Availability Extension 11 SP3",
                "product": {
                  "name": "SUSE Linux Enterprise High Availability Extension 11 SP3",
                  "product_id": "SUSE Linux Enterprise High Availability Extension 11 SP3",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:suse:sle-hae:11:sp3"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Lifecycle Management Server 1.3",
                "product": {
                  "name": "SUSE Lifecycle Management Server 1.3",
                  "product_id": "SUSE Lifecycle Management Server 1.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:suse:sle-slms:1.3"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Studio Onsite 1.3",
                "product": {
                  "name": "SUSE Studio Onsite 1.3",
                  "product_id": "SUSE Studio Onsite 1.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-studioonsite:1.3"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Studio Onsite 1.3",
                "product": {
                  "name": "SUSE Studio Onsite 1.3",
                  "product_id": "SUSE Studio Onsite 1.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-studioonsite:1.3"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE WebYast 1.3",
                "product": {
                  "name": "SUSE WebYast 1.3",
                  "product_id": "SUSE WebYast 1.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:webyast:1.3"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-1.7.0-0.7.1.i586 as component of SUSE Linux Enterprise Software Development Kit 11 SP3",
          "product_id": "SUSE Linux Enterprise Software Development Kit 11 SP3:rubygem-bundler-1.7.0-0.7.1.i586"
        },
        "product_reference": "rubygem-bundler-1.7.0-0.7.1.i586",
        "relates_to_product_reference": "SUSE Linux Enterprise Software Development Kit 11 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-1.7.0-0.7.1.ia64 as component of SUSE Linux Enterprise Software Development Kit 11 SP3",
          "product_id": "SUSE Linux Enterprise Software Development Kit 11 SP3:rubygem-bundler-1.7.0-0.7.1.ia64"
        },
        "product_reference": "rubygem-bundler-1.7.0-0.7.1.ia64",
        "relates_to_product_reference": "SUSE Linux Enterprise Software Development Kit 11 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-1.7.0-0.7.1.ppc64 as component of SUSE Linux Enterprise Software Development Kit 11 SP3",
          "product_id": "SUSE Linux Enterprise Software Development Kit 11 SP3:rubygem-bundler-1.7.0-0.7.1.ppc64"
        },
        "product_reference": "rubygem-bundler-1.7.0-0.7.1.ppc64",
        "relates_to_product_reference": "SUSE Linux Enterprise Software Development Kit 11 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-1.7.0-0.7.1.s390x as component of SUSE Linux Enterprise Software Development Kit 11 SP3",
          "product_id": "SUSE Linux Enterprise Software Development Kit 11 SP3:rubygem-bundler-1.7.0-0.7.1.s390x"
        },
        "product_reference": "rubygem-bundler-1.7.0-0.7.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Software Development Kit 11 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-1.7.0-0.7.1.x86_64 as component of SUSE Linux Enterprise Software Development Kit 11 SP3",
          "product_id": "SUSE Linux Enterprise Software Development Kit 11 SP3:rubygem-bundler-1.7.0-0.7.1.x86_64"
        },
        "product_reference": "rubygem-bundler-1.7.0-0.7.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Software Development Kit 11 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-1.7.0-0.7.1.x86_64 as component of SUSE OpenStack Cloud 4",
          "product_id": "SUSE OpenStack Cloud 4:rubygem-bundler-1.7.0-0.7.1.x86_64"
        },
        "product_reference": "rubygem-bundler-1.7.0-0.7.1.x86_64",
        "relates_to_product_reference": "SUSE OpenStack Cloud 4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-1.7.0-0.7.1.i586 as component of SUSE Linux Enterprise High Availability Extension 11 SP3",
          "product_id": "SUSE Linux Enterprise High Availability Extension 11 SP3:rubygem-bundler-1.7.0-0.7.1.i586"
        },
        "product_reference": "rubygem-bundler-1.7.0-0.7.1.i586",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 11 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-1.7.0-0.7.1.ia64 as component of SUSE Linux Enterprise High Availability Extension 11 SP3",
          "product_id": "SUSE Linux Enterprise High Availability Extension 11 SP3:rubygem-bundler-1.7.0-0.7.1.ia64"
        },
        "product_reference": "rubygem-bundler-1.7.0-0.7.1.ia64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 11 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-1.7.0-0.7.1.ppc64 as component of SUSE Linux Enterprise High Availability Extension 11 SP3",
          "product_id": "SUSE Linux Enterprise High Availability Extension 11 SP3:rubygem-bundler-1.7.0-0.7.1.ppc64"
        },
        "product_reference": "rubygem-bundler-1.7.0-0.7.1.ppc64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 11 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-1.7.0-0.7.1.s390x as component of SUSE Linux Enterprise High Availability Extension 11 SP3",
          "product_id": "SUSE Linux Enterprise High Availability Extension 11 SP3:rubygem-bundler-1.7.0-0.7.1.s390x"
        },
        "product_reference": "rubygem-bundler-1.7.0-0.7.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 11 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-1.7.0-0.7.1.x86_64 as component of SUSE Linux Enterprise High Availability Extension 11 SP3",
          "product_id": "SUSE Linux Enterprise High Availability Extension 11 SP3:rubygem-bundler-1.7.0-0.7.1.x86_64"
        },
        "product_reference": "rubygem-bundler-1.7.0-0.7.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 11 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-1.7.0-0.7.1.x86_64 as component of SUSE Lifecycle Management Server 1.3",
          "product_id": "SUSE Lifecycle Management Server 1.3:rubygem-bundler-1.7.0-0.7.1.x86_64"
        },
        "product_reference": "rubygem-bundler-1.7.0-0.7.1.x86_64",
        "relates_to_product_reference": "SUSE Lifecycle Management Server 1.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-1.7.0-0.7.1.x86_64 as component of SUSE Studio Onsite 1.3",
          "product_id": "SUSE Studio Onsite 1.3:rubygem-bundler-1.7.0-0.7.1.x86_64"
        },
        "product_reference": "rubygem-bundler-1.7.0-0.7.1.x86_64",
        "relates_to_product_reference": "SUSE Studio Onsite 1.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler19-1.7.0-0.12.1.x86_64 as component of SUSE Studio Onsite 1.3",
          "product_id": "SUSE Studio Onsite 1.3:rubygem-bundler19-1.7.0-0.12.1.x86_64"
        },
        "product_reference": "rubygem-bundler19-1.7.0-0.12.1.x86_64",
        "relates_to_product_reference": "SUSE Studio Onsite 1.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-1.7.0-0.7.1.x86_64 as component of SUSE Studio Onsite 1.3",
          "product_id": "SUSE Studio Onsite 1.3:rubygem-bundler-1.7.0-0.7.1.x86_64"
        },
        "product_reference": "rubygem-bundler-1.7.0-0.7.1.x86_64",
        "relates_to_product_reference": "SUSE Studio Onsite 1.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler19-1.7.0-0.12.1.x86_64 as component of SUSE Studio Onsite 1.3",
          "product_id": "SUSE Studio Onsite 1.3:rubygem-bundler19-1.7.0-0.12.1.x86_64"
        },
        "product_reference": "rubygem-bundler19-1.7.0-0.12.1.x86_64",
        "relates_to_product_reference": "SUSE Studio Onsite 1.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-1.7.0-0.7.1.i586 as component of SUSE WebYast 1.3",
          "product_id": "SUSE WebYast 1.3:rubygem-bundler-1.7.0-0.7.1.i586"
        },
        "product_reference": "rubygem-bundler-1.7.0-0.7.1.i586",
        "relates_to_product_reference": "SUSE WebYast 1.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-1.7.0-0.7.1.ia64 as component of SUSE WebYast 1.3",
          "product_id": "SUSE WebYast 1.3:rubygem-bundler-1.7.0-0.7.1.ia64"
        },
        "product_reference": "rubygem-bundler-1.7.0-0.7.1.ia64",
        "relates_to_product_reference": "SUSE WebYast 1.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-1.7.0-0.7.1.ppc64 as component of SUSE WebYast 1.3",
          "product_id": "SUSE WebYast 1.3:rubygem-bundler-1.7.0-0.7.1.ppc64"
        },
        "product_reference": "rubygem-bundler-1.7.0-0.7.1.ppc64",
        "relates_to_product_reference": "SUSE WebYast 1.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-1.7.0-0.7.1.s390x as component of SUSE WebYast 1.3",
          "product_id": "SUSE WebYast 1.3:rubygem-bundler-1.7.0-0.7.1.s390x"
        },
        "product_reference": "rubygem-bundler-1.7.0-0.7.1.s390x",
        "relates_to_product_reference": "SUSE WebYast 1.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-bundler-1.7.0-0.7.1.x86_64 as component of SUSE WebYast 1.3",
          "product_id": "SUSE WebYast 1.3:rubygem-bundler-1.7.0-0.7.1.x86_64"
        },
        "product_reference": "rubygem-bundler-1.7.0-0.7.1.x86_64",
        "relates_to_product_reference": "SUSE WebYast 1.3"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2013-0334",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2013-0334"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Lifecycle Management Server 1.3:rubygem-bundler-1.7.0-0.7.1.x86_64",
          "SUSE Linux Enterprise High Availability Extension 11 SP3:rubygem-bundler-1.7.0-0.7.1.i586",
          "SUSE Linux Enterprise High Availability Extension 11 SP3:rubygem-bundler-1.7.0-0.7.1.ia64",
          "SUSE Linux Enterprise High Availability Extension 11 SP3:rubygem-bundler-1.7.0-0.7.1.ppc64",
          "SUSE Linux Enterprise High Availability Extension 11 SP3:rubygem-bundler-1.7.0-0.7.1.s390x",
          "SUSE Linux Enterprise High Availability Extension 11 SP3:rubygem-bundler-1.7.0-0.7.1.x86_64",
          "SUSE Linux Enterprise Software Development Kit 11 SP3:rubygem-bundler-1.7.0-0.7.1.i586",
          "SUSE Linux Enterprise Software Development Kit 11 SP3:rubygem-bundler-1.7.0-0.7.1.ia64",
          "SUSE Linux Enterprise Software Development Kit 11 SP3:rubygem-bundler-1.7.0-0.7.1.ppc64",
          "SUSE Linux Enterprise Software Development Kit 11 SP3:rubygem-bundler-1.7.0-0.7.1.s390x",
          "SUSE Linux Enterprise Software Development Kit 11 SP3:rubygem-bundler-1.7.0-0.7.1.x86_64",
          "SUSE OpenStack Cloud 4:rubygem-bundler-1.7.0-0.7.1.x86_64",
          "SUSE Studio Onsite 1.3:rubygem-bundler-1.7.0-0.7.1.x86_64",
          "SUSE Studio Onsite 1.3:rubygem-bundler19-1.7.0-0.12.1.x86_64",
          "SUSE WebYast 1.3:rubygem-bundler-1.7.0-0.7.1.i586",
          "SUSE WebYast 1.3:rubygem-bundler-1.7.0-0.7.1.ia64",
          "SUSE WebYast 1.3:rubygem-bundler-1.7.0-0.7.1.ppc64",
          "SUSE WebYast 1.3:rubygem-bundler-1.7.0-0.7.1.s390x",
          "SUSE WebYast 1.3:rubygem-bundler-1.7.0-0.7.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2013-0334",
          "url": "https://www.suse.com/security/cve/CVE-2013-0334"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 898205 for CVE-2013-0334",
          "url": "https://bugzilla.suse.com/898205"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 922719 for CVE-2013-0334",
          "url": "https://bugzilla.suse.com/922719"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Lifecycle Management Server 1.3:rubygem-bundler-1.7.0-0.7.1.x86_64",
            "SUSE Linux Enterprise High Availability Extension 11 SP3:rubygem-bundler-1.7.0-0.7.1.i586",
            "SUSE Linux Enterprise High Availability Extension 11 SP3:rubygem-bundler-1.7.0-0.7.1.ia64",
            "SUSE Linux Enterprise High Availability Extension 11 SP3:rubygem-bundler-1.7.0-0.7.1.ppc64",
            "SUSE Linux Enterprise High Availability Extension 11 SP3:rubygem-bundler-1.7.0-0.7.1.s390x",
            "SUSE Linux Enterprise High Availability Extension 11 SP3:rubygem-bundler-1.7.0-0.7.1.x86_64",
            "SUSE Linux Enterprise Software Development Kit 11 SP3:rubygem-bundler-1.7.0-0.7.1.i586",
            "SUSE Linux Enterprise Software Development Kit 11 SP3:rubygem-bundler-1.7.0-0.7.1.ia64",
            "SUSE Linux Enterprise Software Development Kit 11 SP3:rubygem-bundler-1.7.0-0.7.1.ppc64",
            "SUSE Linux Enterprise Software Development Kit 11 SP3:rubygem-bundler-1.7.0-0.7.1.s390x",
            "SUSE Linux Enterprise Software Development Kit 11 SP3:rubygem-bundler-1.7.0-0.7.1.x86_64",
            "SUSE OpenStack Cloud 4:rubygem-bundler-1.7.0-0.7.1.x86_64",
            "SUSE Studio Onsite 1.3:rubygem-bundler-1.7.0-0.7.1.x86_64",
            "SUSE Studio Onsite 1.3:rubygem-bundler19-1.7.0-0.12.1.x86_64",
            "SUSE WebYast 1.3:rubygem-bundler-1.7.0-0.7.1.i586",
            "SUSE WebYast 1.3:rubygem-bundler-1.7.0-0.7.1.ia64",
            "SUSE WebYast 1.3:rubygem-bundler-1.7.0-0.7.1.ppc64",
            "SUSE WebYast 1.3:rubygem-bundler-1.7.0-0.7.1.s390x",
            "SUSE WebYast 1.3:rubygem-bundler-1.7.0-0.7.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2015-03-11T16:15:22Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2013-0334"
    }
  ]
}

GHSA-49JX-9CMC-XJXM

Vulnerability from github – Published: 2022-05-05 02:48 – Updated: 2023-03-20 19:50

Summary

Bundler may install gems from a different source than expected

Details

Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "bundler"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2013-0334"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-20T19:50:20Z",
    "nvd_published_at": "2014-10-31T14:55:00Z",
    "severity": "MODERATE"
  },
  "details": "Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.",
  "id": "GHSA-49jx-9cmc-xjxm",
  "modified": "2023-03-20T19:50:20Z",
  "published": "2022-05-05T02:48:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0334"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rubygems/bundler"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bundler/CVE-2013-0334.yml"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201609-02"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20210122060358/https://www.securityfocus.com/bid/70099"
    },
    {
      "type": "WEB",
      "url": "http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140609.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140654.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140655.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2015-03/msg00092.html"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Bundler may install gems from a different source than expected"
}

GSD-2013-0334

Vulnerability from gsd - Updated: 2014-08-13 00:00

Details

Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source. A flaw was found in the way Bundler handled gems available from multiple sources. An attacker with access to one of the sources could create a malicious gem with the same name, which they could then use to trick a user into installing, potentially resulting in execution of code from the attacker-supplied malicious gem.

Aliases

CVE-2013-0334

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2013-0334",
    "description": "Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.",
    "id": "GSD-2013-0334",
    "references": [
      "https://www.suse.com/security/cve/CVE-2013-0334.html",
      "https://access.redhat.com/errata/RHSA-2015:2180",
      "https://linux.oracle.com/cve/CVE-2013-0334.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "bundler",
            "purl": "pkg:gem/bundler"
          }
        }
      ],
      "aliases": [
        "CVE-2013-0334",
        "OSVDB-110004"
      ],
      "details": "Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source. A flaw was found in the way Bundler handled gems available from multiple sources. An attacker with access to one of the sources could create a malicious gem with the same name, which they could then use to trick a user into installing, potentially resulting in execution of code from the attacker-supplied malicious gem.",
      "id": "GSD-2013-0334",
      "modified": "2014-08-13T00:00:00.000Z",
      "published": "2014-08-13T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0334"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 5.0,
          "type": "CVSS_V2"
        }
      ],
      "summary": "CVE-2013-0334 rubygem-bundler: \u0027bundle install\u0027 may install a gem from a source other than expected"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "ID": "CVE-2013-0334",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "GLSA-201609-02",
            "refsource": "GENTOO",
            "url": "https://security.gentoo.org/glsa/201609-02"
          },
          {
            "name": "FEDORA-2014-11649",
            "refsource": "FEDORA",
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140609.html"
          },
          {
            "name": "FEDORA-2014-11630",
            "refsource": "FEDORA",
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140654.html"
          },
          {
            "name": "http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html",
            "refsource": "CONFIRM",
            "url": "http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html"
          },
          {
            "name": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html",
            "refsource": "CONFIRM",
            "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"
          },
          {
            "name": "FEDORA-2014-11677",
            "refsource": "FEDORA",
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140655.html"
          },
          {
            "name": "openSUSE-SU-2015:0628",
            "refsource": "SUSE",
            "url": "http://lists.opensuse.org/opensuse-updates/2015-03/msg00092.html"
          },
          {
            "name": "70099",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/70099"
          }
        ]
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2013-0334",
      "cvss_v2": 5.0,
      "date": "2014-08-13",
      "description": "Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source. A flaw was found in the way Bundler handled gems available from multiple sources. An attacker with access to one of the sources could create a malicious gem with the same name, which they could then use to trick a user into installing, potentially resulting in execution of code from the attacker-supplied malicious gem.",
      "gem": "bundler",
      "osvdb": 110004,
      "patched_versions": [
        "\u003e= 1.7.0"
      ],
      "title": "CVE-2013-0334 rubygem-bundler: \u0027bundle install\u0027 may install a gem from a source other than expected",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0334"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c1.7.0",
          "affected_versions": "All versions before 1.7.0",
          "credit": "Andreas Loupasakis, Fotos Georgiadis\r\n",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-20",
            "CWE-937"
          ],
          "date": "2019-07-16",
          "description": "Any Gemfile with multiple top-level `source` lines cannot reliably control the gem server that a particular gem is fetched from. As a result, Bundler might install the wrong gem if more than one source provides a gem with the same name. This is especially possible in the case of Github\u0027s legacy gem server, hosted at gems.github.com. An attacker might create a malicious gem on Rubygems.org with the same name as a commonly-used Github gem. From that point forward, running `bundle install` might result in the malicious gem being used instead of the expected gem. ",
          "fixed_versions": [
            "1.7.0"
          ],
          "identifier": "CVE-2013-0334",
          "identifiers": [
            "CVE-2013-0334"
          ],
          "not_impacted": "All versions starting from 1.7.0",
          "package_slug": "gem/bundler",
          "pubdate": "2014-10-31",
          "solution": "Upgrade to version 1.7.0 or above.",
          "title": "Remote code execution",
          "urls": [
            "http://osvdb.org/show/osvdb/110004",
            "https://groups.google.com/forum/#!topic/ruby-security-ann/Rms5sZhLxdo"
          ],
          "uuid": "fcb7cb20-d8f5-446e-bcb1-6af25f40c432"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:bundler:bundler:*:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.7.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:19:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2013-0334"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-20"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "FEDORA-2014-11630",
              "refsource": "FEDORA",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140654.html"
            },
            {
              "name": "FEDORA-2014-11677",
              "refsource": "FEDORA",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140655.html"
            },
            {
              "name": "FEDORA-2014-11649",
              "refsource": "FEDORA",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140609.html"
            },
            {
              "name": "http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html"
            },
            {
              "name": "openSUSE-SU-2015:0628",
              "refsource": "SUSE",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "http://lists.opensuse.org/opensuse-updates/2015-03/msg00092.html"
            },
            {
              "name": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"
            },
            {
              "name": "70099",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/70099"
            },
            {
              "name": "GLSA-201609-02",
              "refsource": "GENTOO",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://security.gentoo.org/glsa/201609-02"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2019-07-16T12:21Z",
      "publishedDate": "2014-10-31T14:55Z"
    }
  }
}

FKIE_CVE-2013-0334

Vulnerability from fkie_nvd - Published: 2014-10-31 14:55 - Updated: 2025-04-12 10:46

Severity ?

Summary

Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

References

URL	Tags
secalert@redhat.com	http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html	Vendor Advisory
secalert@redhat.com	http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140609.html	Third Party Advisory
secalert@redhat.com	http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140654.html	Third Party Advisory
secalert@redhat.com	http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140655.html	Third Party Advisory
secalert@redhat.com	http://lists.opensuse.org/opensuse-updates/2015-03/msg00092.html	Third Party Advisory
secalert@redhat.com	http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html	Third Party Advisory
secalert@redhat.com	http://www.securityfocus.com/bid/70099	Third Party Advisory, VDB Entry
secalert@redhat.com	https://security.gentoo.org/glsa/201609-02	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140609.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140654.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140655.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://lists.opensuse.org/opensuse-updates/2015-03/msg00092.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/70099	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://security.gentoo.org/glsa/201609-02	Third Party Advisory

Impacted products

Vendor	Product	Version
bundler	bundler	*
opensuse	opensuse	13.1
opensuse	opensuse	13.2
fedoraproject	fedora	19
fedoraproject	fedora	20
fedoraproject	fedora	21

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:bundler:bundler:*:*:*:*:*:ruby:*:*",
              "matchCriteriaId": "595843BB-8C46-462F-8494-F72A0328981A",
              "versionEndExcluding": "1.7.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "A10BC294-9196-425F-9FB0-B1625465B47F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "03117DF1-3BEC-4B8D-AD63-DBBDB2126081",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:19:*:*:*:*:*:*:*",
              "matchCriteriaId": "5991814D-CA77-4C25-90D2-DB542B17E0AD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*",
              "matchCriteriaId": "FF47C9F0-D8DA-4B55-89EB-9B2C9383ADB9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*",
              "matchCriteriaId": "56BDB5A0-0839-4A20-A003-B8CD56F48171",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source."
    },
    {
      "lang": "es",
      "value": "Bundler anterior a 1.7, cuando m\u00faltiples l\u00edneas de fuentes del m\u00e1ximo nivel est\u00e1n utilizadas, permite a atacantes remotos instalar gemas arbitrarias con el mismo nombre como otra gema en una fuente diferente."
    }
  ],
  "id": "CVE-2013-0334",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2014-10-31T14:55:02.687",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140609.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140654.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140655.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-updates/2015-03/msg00092.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/70099"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.gentoo.org/glsa/201609-02"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140609.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140654.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140655.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-updates/2015-03/msg00092.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/70099"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.gentoo.org/glsa/201609-02"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2013-0334 (GCVE-0-2013-0334)

RHSA-2015_2180

RHSA-2015:2180

SUSE-SU-2015:0795-1

GHSA-49JX-9CMC-XJXM

GSD-2013-0334

FKIE_CVE-2013-0334

Tags

Sightings

Nomenclature