1. CVE-Search
  2. CVE-2020-36327
ID CVE-2020-36327
Summary Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product.
References
Vulnerable Configurations
  • cpe:2.3:a:bundler:bundler:1.16.0:-:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:1.16.0:-:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:1.16.0:pre1:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:1.16.0:pre1:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:1.16.0:pre2:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:1.16.0:pre2:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:1.16.0:pre3:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:1.16.0:pre3:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:1.16.1:*:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:1.16.1:*:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:1.16.2:*:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:1.16.2:*:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:1.16.3:*:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:1.16.3:*:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:1.16.4:*:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:1.16.4:*:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:1.16.5:*:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:1.16.5:*:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:1.16.6:*:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:1.16.6:*:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:1.17.0:-:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:1.17.0:-:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:1.17.0:pre1:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:1.17.0:pre1:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:1.17.0:pre2:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:1.17.0:pre2:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:1.17.1:*:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:1.17.1:*:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:1.17.2:*:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:1.17.2:*:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:1.17.3:*:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:1.17.3:*:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:2.0.0:-:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:2.0.0:-:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:2.0.0:pre1:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:2.0.0:pre1:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:2.0.0:pre2:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:2.0.0:pre2:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:2.0.0:pre3:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:2.0.0:pre3:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:2.0.1:*:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:2.0.1:*:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:2.0.2:*:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:2.0.2:*:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:2.1.0:-:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:2.1.0:-:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:2.1.0:pre1:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:2.1.0:pre1:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:2.1.0:pre2:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:2.1.0:pre2:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:2.1.1:*:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:2.1.1:*:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:2.1.2:*:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:2.1.2:*:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:2.1.3:*:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:2.1.3:*:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:2.1.4:*:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:2.1.4:*:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:2.2.0:-:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:2.2.0:-:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:2.2.0:rc1:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:2.2.0:rc1:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:2.2.0:rc2:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:2.2.0:rc2:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:2.2.1:*:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:2.2.1:*:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:2.2.2:*:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:2.2.2:*:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:2.2.3:*:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:2.2.3:*:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:2.2.4:*:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:2.2.4:*:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:2.2.5:*:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:2.2.5:*:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:2.2.6:*:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:2.2.6:*:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:2.2.7:*:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:2.2.7:*:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:2.2.8:*:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:2.2.8:*:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:2.2.9:*:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:2.2.9:*:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:2.2.11:*:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:2.2.11:*:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:2.2.12:*:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:2.2.12:*:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:2.2.13:*:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:2.2.13:*:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:2.2.14:*:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:2.2.14:*:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:2.2.15:*:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:2.2.15:*:*:*:*:ruby:*:*
  • cpe:2.3:a:bundler:bundler:2.2.16:*:*:*:*:ruby:*:*
    cpe:2.3:a:bundler:bundler:2.2.16:*:*:*:*:ruby:*:*
  • cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:package_manager_configurations:-:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:package_manager_configurations:-:*:*:*:*:*:*:*
CVSS
Base: 9.3 (as of 05-04-2022 - 18:06)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
cvss-vector via4 AV:N/AC:M/Au:N/C:C/I:C/A:C
Last major update 05-04-2022 - 18:06
Published 29-04-2021 - 03:15
Last modified 05-04-2022 - 18:06
Back to Top