Vulnerability-Lookup

SUSE-SU-2026:1355-1

Vulnerability from csaf_suse - Published: 2026-04-15 13:37 - Updated: 2026-04-15 13:37

Summary

Security update for rubygem-bundler

Severity

Important

Notes

Title of the patch: Security update for rubygem-bundler

Description of the patch: This update for rubygem-bundler fixes the following issues: Updated to version 2.2.34. - CVE-2020-36327: Bundler chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen (bsc#1185842) - CVE-2021-43809: rubygem-bundler: remote execution via Gemfile argument injection (bsc#1193578)

Patchnames: SUSE-2026-1355,SUSE-SLE-Module-Basesystem-15-SP7-2026-1355

CVE-2020-36327

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2021-43809

7.3 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

References

URL

Category

	https://www.suse.com/support/security/rating/	external
	https://ftp.suse.com/pub/projects/security/csaf/s…	self
	https://www.suse.com/support/update/announcement/…	self
	https://lists.suse.com/pipermail/sle-updates/2026…	self
	https://bugzilla.suse.com/1185842	self
	https://bugzilla.suse.com/1193578	self
	https://www.suse.com/security/cve/CVE-2020-36327/	self
	https://www.suse.com/security/cve/CVE-2021-43809/	self
	https://www.suse.com/security/cve/CVE-2020-36327	external
	https://bugzilla.suse.com/1185842	external
	https://www.suse.com/security/cve/CVE-2021-43809	external
	https://bugzilla.suse.com/1193578	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for rubygem-bundler",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "\nThis update for rubygem-bundler fixes the following issues:\n\nUpdated to version 2.2.34.\n\n- CVE-2020-36327: Bundler chooses a dependency source based\n  on the highest gem version number, which means that a rogue gem\n  found at a public source may be chosen (bsc#1185842)\n \n- CVE-2021-43809: rubygem-bundler: remote execution via Gemfile argument injection (bsc#1193578)\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2026-1355,SUSE-SLE-Module-Basesystem-15-SP7-2026-1355",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_1355-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2026:1355-1",
        "url": "https://www.suse.com/support/update/announcement/2026/suse-su-20261355-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2026:1355-1",
        "url": "https://lists.suse.com/pipermail/sle-updates/2026-April/045561.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1185842",
        "url": "https://bugzilla.suse.com/1185842"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1193578",
        "url": "https://bugzilla.suse.com/1193578"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-36327 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-36327/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-43809 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-43809/"
      }
    ],
    "title": "Security update for rubygem-bundler",
    "tracking": {
      "current_release_date": "2026-04-15T13:37:50Z",
      "generator": {
        "date": "2026-04-15T13:37:50Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2026:1355-1",
      "initial_release_date": "2026-04-15T13:37:50Z",
      "revision_history": [
        {
          "date": "2026-04-15T13:37:50Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.aarch64",
                "product": {
                  "name": "ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.aarch64",
                  "product_id": "ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.i586",
                "product": {
                  "name": "ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.i586",
                  "product_id": "ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.i586"
                }
              }
            ],
            "category": "architecture",
            "name": "i586"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.ppc64le",
                "product": {
                  "name": "ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.ppc64le",
                  "product_id": "ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.s390x",
                "product": {
                  "name": "ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.s390x",
                  "product_id": "ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.x86_64",
                "product": {
                  "name": "ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.x86_64",
                  "product_id": "ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
                "product": {
                  "name": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
                  "product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-module-basesystem:15:sp7"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.aarch64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.aarch64"
        },
        "product_reference": "ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.ppc64le as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.ppc64le"
        },
        "product_reference": "ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.s390x as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.s390x"
        },
        "product_reference": "ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.x86_64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.x86_64"
        },
        "product_reference": "ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-36327",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-36327"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every \"Dependency Confusion\" issue in every product.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.aarch64",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.ppc64le",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.s390x",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-36327",
          "url": "https://www.suse.com/security/cve/CVE-2020-36327"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1185842 for CVE-2020-36327",
          "url": "https://bugzilla.suse.com/1185842"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.aarch64",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.ppc64le",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.s390x",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.aarch64",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.ppc64le",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.s390x",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-15T13:37:50Z",
          "details": "important"
        }
      ],
      "title": "CVE-2020-36327"
    },
    {
      "cve": "CVE-2021-43809",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-43809"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "`Bundler` is a package for managing application dependencies in Ruby. In `bundler` versions before 2.2.33, when working with untrusted and apparently harmless `Gemfile`\u0027s, it is not expected that they lead to execution of external code, unless that\u0027s explicit in the ruby code inside the `Gemfile` itself. However, if the `Gemfile` includes `gem` entries that use the `git` option with invalid, but seemingly harmless, values with a leading dash, this can be false. To handle dependencies that come from a Git repository instead of a registry, Bundler uses various commands, such as `git clone`. These commands are being constructed using user input (e.g. the repository URL). When building the commands, Bundler versions before 2.2.33 correctly avoid Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (`-`) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables. Since this value comes from the `Gemfile` file, it can contain any character, including a leading dash.\n\nTo exploit this vulnerability, an attacker has to craft a directory containing a `Gemfile` file that declares a dependency that is located in a Git repository. This dependency has to have a Git URL in the form of `-u./payload`. This URL will be used to construct a Git clone command but will be interpreted as the upload-pack argument. Then this directory needs to be shared with the victim, who then needs to run a command that evaluates the Gemfile, such as `bundle lock`, inside.\n\nThis vulnerability can lead to Arbitrary Code Execution, which could potentially lead to the takeover of the system. However, the exploitability is very low, because it requires a lot of user interaction. Bundler 2.2.33 has patched this problem by inserting `--` as an argument before any positional arguments to those Git commands that were affected by this issue. Regardless of whether users can upgrade or not, they should review any untrustred `Gemfile`\u0027s before running any `bundler` commands that may read them, since they can contain arbitrary ruby code.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.aarch64",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.ppc64le",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.s390x",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-43809",
          "url": "https://www.suse.com/security/cve/CVE-2021-43809"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1193578 for CVE-2021-43809",
          "url": "https://bugzilla.suse.com/1193578"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.aarch64",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.ppc64le",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.s390x",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.aarch64",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.ppc64le",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.s390x",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:ruby2.5-rubygem-bundler-2.2.34-150700.21.3.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-15T13:37:50Z",
          "details": "important"
        }
      ],
      "title": "CVE-2021-43809"
    }
  ]
}

CVE-2020-36327 (GCVE-0-2020-36327)

Vulnerability from cvelistv5 – Published: 2021-04-29 02:28 – Updated: 2024-08-04 17:23

Summary

Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://github.com/rubygems/rubygems/issues/3982	x_refsource_MISC
	https://msrc.microsoft.com/update-guide/en-US/vul…	x_refsource_MISC
	https://bundler.io/blog/2021/02/15/a-more-secure-…	x_refsource_MISC
	https://mensfeld.pl/2021/02/rubygems-dependency-c…	x_refsource_MISC
	https://www.zofrex.com/blog/2021/04/29/bundler-st…	x_refsource_MISC
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T17:23:10.451Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/rubygems/rubygems/issues/3982"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327/"
          },
          {
            "name": "FEDORA-2021-36cdab1f8d",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every \"Dependency Confusion\" issue in every product."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-07-29T02:06:19.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rubygems/rubygems/issues/3982"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327/"
        },
        {
          "name": "FEDORA-2021-36cdab1f8d",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2020-36327",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every \"Dependency Confusion\" issue in every product."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/rubygems/rubygems/issues/3982",
              "refsource": "MISC",
              "url": "https://github.com/rubygems/rubygems/issues/3982"
            },
            {
              "name": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105",
              "refsource": "MISC",
              "url": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105"
            },
            {
              "name": "https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html",
              "refsource": "MISC",
              "url": "https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html"
            },
            {
              "name": "https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things/",
              "refsource": "MISC",
              "url": "https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things/"
            },
            {
              "name": "https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327/",
              "refsource": "MISC",
              "url": "https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327/"
            },
            {
              "name": "FEDORA-2021-36cdab1f8d",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2020-36327",
    "datePublished": "2021-04-29T02:28:54.000Z",
    "dateReserved": "2021-04-29T00:00:00.000Z",
    "dateUpdated": "2024-08-04T17:23:10.451Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-43809 (GCVE-0-2021-43809)

Vulnerability from cvelistv5 – Published: 2021-12-08 18:50 – Updated: 2025-11-03 19:26

Title

Local Code Execution through Argument Injection via dash leading git url parameter in Gemfile

Summary

`Bundler` is a package for managing application dependencies in Ruby. In `bundler` versions before 2.2.33, when working with untrusted and apparently harmless `Gemfile`'s, it is not expected that they lead to execution of external code, unless that's explicit in the ruby code inside the `Gemfile` itself. However, if the `Gemfile` includes `gem` entries that use the `git` option with invalid, but seemingly harmless, values with a leading dash, this can be false. To handle dependencies that come from a Git repository instead of a registry, Bundler uses various commands, such as `git clone`. These commands are being constructed using user input (e.g. the repository URL). When building the commands, Bundler versions before 2.2.33 correctly avoid Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (`-`) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables. Since this value comes from the `Gemfile` file, it can contain any character, including a leading dash. To exploit this vulnerability, an attacker has to craft a directory containing a `Gemfile` file that declares a dependency that is located in a Git repository. This dependency has to have a Git URL in the form of `-u./payload`. This URL will be used to construct a Git clone command but will be interpreted as the upload-pack argument. Then this directory needs to be shared with the victim, who then needs to run a command that evaluates the Gemfile, such as `bundle lock`, inside. This vulnerability can lead to Arbitrary Code Execution, which could potentially lead to the takeover of the system. However, the exploitability is very low, because it requires a lot of user interaction. Bundler 2.2.33 has patched this problem by inserting `--` as an argument before any positional arguments to those Git commands that were affected by this issue. Regardless of whether users can upgrade or not, they should review any untrustred `Gemfile`'s before running any `bundler` commands that may read them, since they can contain arbitrary ruby code.

Severity ?

6.7 (Medium)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/rubygems/rubygems/security/adv…	x_refsource_CONFIRM
	https://github.com/rubygems/rubygems/pull/5142	x_refsource_MISC
	https://github.com/rubygems/rubygems/commit/0fad1…	x_refsource_MISC
	https://github.com/rubygems/rubygems/commit/a4f2f…	x_refsource_MISC
	https://www.sonarsource.com/blog/securing-develop…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	rubygems	rubygems	Affected: < 2.2.33

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:26:31.480Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/rubygems/rubygems/security/advisories/GHSA-fj7f-vq84-fh43",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/rubygems/rubygems/security/advisories/GHSA-fj7f-vq84-fh43"
          },
          {
            "name": "https://github.com/rubygems/rubygems/pull/5142",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/rubygems/rubygems/pull/5142"
          },
          {
            "name": "https://github.com/rubygems/rubygems/commit/0fad1ccfe9dd7a3c5b82c1496df3c2b4842870d3",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/rubygems/rubygems/commit/0fad1ccfe9dd7a3c5b82c1496df3c2b4842870d3"
          },
          {
            "name": "https://github.com/rubygems/rubygems/commit/a4f2f8ac17e6ce81c689527a8b6f14381060d95f",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/rubygems/rubygems/commit/a4f2f8ac17e6ce81c689527a8b6f14381060d95f"
          },
          {
            "name": "https://www.sonarsource.com/blog/securing-developer-tools-package-managers/",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.sonarsource.com/blog/securing-developer-tools-package-managers/"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00015.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "rubygems",
          "vendor": "rubygems",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.2.33"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "`Bundler` is a package for managing application dependencies in Ruby. In `bundler` versions before 2.2.33, when working with untrusted and apparently harmless `Gemfile`\u0027s, it is not expected that they lead to execution of external code, unless that\u0027s explicit in the ruby code inside the `Gemfile` itself. However, if the `Gemfile` includes `gem` entries that use the `git` option with invalid, but seemingly harmless, values with a leading dash, this can be false. To handle dependencies that come from a Git repository instead of a registry, Bundler uses various commands, such as `git clone`. These commands are being constructed using user input (e.g. the repository URL). When building the commands, Bundler versions before 2.2.33 correctly avoid Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (`-`) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables. Since this value comes from the `Gemfile` file, it can contain any character, including a leading dash.\n\nTo exploit this vulnerability, an attacker has to craft a directory containing a `Gemfile` file that declares a dependency that is located in a Git repository. This dependency has to have a Git URL in the form of `-u./payload`. This URL will be used to construct a Git clone command but will be interpreted as the upload-pack argument. Then this directory needs to be shared with the victim, who then needs to run a command that evaluates the Gemfile, such as `bundle lock`, inside.\n\nThis vulnerability can lead to Arbitrary Code Execution, which could potentially lead to the takeover of the system. However, the exploitability is very low, because it requires a lot of user interaction. Bundler 2.2.33 has patched this problem by inserting `--` as an argument before any positional arguments to those Git commands that were affected by this issue. Regardless of whether users can upgrade or not, they should review any untrustred `Gemfile`\u0027s before running any `bundler` commands that may read them, since they can contain arbitrary ruby code."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-88",
              "description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-24T23:03:38.116Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/rubygems/rubygems/security/advisories/GHSA-fj7f-vq84-fh43",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/rubygems/rubygems/security/advisories/GHSA-fj7f-vq84-fh43"
        },
        {
          "name": "https://github.com/rubygems/rubygems/pull/5142",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rubygems/rubygems/pull/5142"
        },
        {
          "name": "https://github.com/rubygems/rubygems/commit/0fad1ccfe9dd7a3c5b82c1496df3c2b4842870d3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rubygems/rubygems/commit/0fad1ccfe9dd7a3c5b82c1496df3c2b4842870d3"
        },
        {
          "name": "https://github.com/rubygems/rubygems/commit/a4f2f8ac17e6ce81c689527a8b6f14381060d95f",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rubygems/rubygems/commit/a4f2f8ac17e6ce81c689527a8b6f14381060d95f"
        },
        {
          "name": "https://www.sonarsource.com/blog/securing-developer-tools-package-managers/",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.sonarsource.com/blog/securing-developer-tools-package-managers/"
        }
      ],
      "source": {
        "advisory": "GHSA-fj7f-vq84-fh43",
        "discovery": "UNKNOWN"
      },
      "title": "Local Code Execution through Argument Injection via dash leading git url parameter in Gemfile"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-43809",
    "datePublished": "2021-12-08T18:50:12.000Z",
    "dateReserved": "2021-11-16T00:00:00.000Z",
    "dateUpdated": "2025-11-03T19:26:31.480Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

SUSE-SU-2026:1355-1

CVE-2020-36327 (GCVE-0-2020-36327)

CVE-2021-43809 (GCVE-0-2021-43809)

Tags

Sightings

Nomenclature