Bundler 1.x might allow remote attackers to inject arbitrary Ruby code into an application by leveraging a gem name collision on a secondary source. NOTE: this might overlap CVE-2013-0334.
References
Link | Resource |
---|---|
https://github.com/bundler/bundler/issues/5062 | Issue Tracking Patch Third Party Advisory |
https://github.com/bundler/bundler/issues/5051 | Issue Tracking Patch Third Party Advisory |
https://bugzilla.redhat.com/show_bug.cgi?id=1381951 | Issue Tracking |
http://www.securityfocus.com/bid/93423 | Third Party Advisory VDB Entry |
http://www.openwall.com/lists/oss-security/2016/10/05/3 | Mailing List Third Party Advisory |
http://www.openwall.com/lists/oss-security/2016/10/04/7 | Mailing List Third Party Advisory |
http://www.openwall.com/lists/oss-security/2016/10/04/5 | Mailing List Third Party Advisory |
http://collectiveidea.com/blog/archives/2016/10/06/bundlers-multiple-source-security-vulnerability/ | Exploit Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Information
Published : 2016-12-22 14:59
Updated : 2019-07-02 07:55
NVD link : CVE-2016-7954
Mitre link : CVE-2016-7954
JSON object : View
CWE
CWE-94
Improper Control of Generation of Code ('Code Injection')
Products Affected
bundler
- bundler