CVE-2020-36327

NameCVE-2020-36327
DescriptionBundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
bundler (PTS)jessie1.7.4-1vulnerable
stretch1.13.6-2vulnerable
buster1.17.3-3+deb10u1vulnerable
rubygems (PTS)bullseye3.2.5-2vulnerable
bookworm3.3.15-2fixed
sid, trixie3.4.20-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
bundlersource(unstable)(unfixed)
rubygemssource(unstable)3.3.5-1

Notes

[buster] - bundler <no-dsa> (Minor issue)
[stretch] - bundler <no-dsa> (Invasive change, hard to backport; chances of regression)
[bullseye] - rubygems <ignored> (Minor issue, too intrusive to backport)
https://github.com/rubygems/rubygems/issues/3982
https://github.com/rubygems/rubygems/pull/4609
[jessie] - bundler <no-dsa> (Minor issue)

Search for package or bug name: Reporting problems