CVE-2020-36327

NameCVE-2020-36327
DescriptionBundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
bundler (PTS)stretch1.13.6-2vulnerable
buster1.17.3-3+deb10u1vulnerable
rubygems (PTS)bullseye, sid3.2.5-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
bundlersource(unstable)(unfixed)
rubygemssource(unstable)(unfixed)

Notes

[buster] - bundler <no-dsa> (Minor issue)
[stretch] - bundler <no-dsa> (Invasive change, hard to backport; chances of regression)
[bullseye] - rubygems <no-dsa> (Minor issue)
https://github.com/rubygems/rubygems/issues/3982
Search for package or bug name: Reporting problems