Gentoo update for Bundler
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2019-3881 CVE-2020-36327 CVE-2021-43809 |
| CWE-ID | CWE-552 CWE-345 CWE-88 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Gentoo Linux Operating systems & Components / Operating system dev-ruby/bundler Operating systems & Components / Operating system package or component |
| Vendor | Gentoo |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Files or Directories Accessible to External Parties
EUVDB-ID: #VU49352
Risk: Low
CVSSv4.0: 4.4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-3881
CWE-ID:
CWE-552 - Files or Directories Accessible to External Parties
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to Bundler uses a predictable path in /tmp/, created with insecure permissions as a storage location for gems, if locations under the user's home directory are not available. If Bundler is used in a scenario where the user does not have a writable home directory, an attacker could place malicious code in this directory that would be later loaded and executed.
MitigationUpdate the affected packages.
dev-ruby/bundler to version: 2.2.33
Gentoo Linux: All versions
dev-ruby/bundler: before 2.2.33
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:dev-ruby_bundler:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202408-22
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Insufficient verification of data authenticity
EUVDB-ID: #VU55666
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2020-36327
CWE-ID:
CWE-345 - Insufficient Verification of Data Authenticity
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient verification of data authenticity in Bundler, when choosing a dependency source. The application selects a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application.
MitigationUpdate the affected packages.
dev-ruby/bundler to version: 2.2.33
Gentoo Linux: All versions
dev-ruby/bundler: before 2.2.33
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:dev-ruby_bundler:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202408-22
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper Neutralization of Argument Delimiters in a Command
EUVDB-ID: #VU85298
Risk: Low
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-43809
CWE-ID:
CWE-88 - Argument Injection or Modification
Exploit availability: No
DescriptionThe vulnerability allows a local user to execute arbitrary code on the target system.
The vulnerability occurs when working with untrusted and apparently harmless `Gemfile`'s. A local user can trick the victim into opening a specially crafted directory containing a `Gemfile` file that declares a dependency that is located in a Git repository and execute arbitrary code on the target system.
MitigationUpdate the affected packages.
dev-ruby/bundler to version: 2.2.33
Gentoo Linux: All versions
dev-ruby/bundler: before 2.2.33
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:dev-ruby_bundler:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202408-22
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
