CVE-2013-0334

Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:N/I:P/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 66%
Affected Products (NVD)
VendorProductVersion
bundlerbundler
𝑥
< 1.7.0
opensuseopensuse
13.1
opensuseopensuse
13.2
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
bundler
artful
not-affected
bionic
not-affected
cosmic
not-affected
disco
not-affected
lucid
dne
precise
dne
trusty
dne
utopic
ignored
vivid
not-affected
wily
not-affected
xenial
not-affected
yakkety
not-affected
zesty
not-affected
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
rubygem-bundler
RHEL 7
0:1.7.8-3.el7
fixed
rubygem-bundler-doc
RHEL 7
0:1.7.8-3.el7
fixed
rubygem-thor
RHEL 7
0:0.19.1-1.el7
fixed
rubygem-thor-doc
RHEL 7
0:0.19.1-1.el7
fixed
Common Weakness Enumeration
References
http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html
http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140609.html
http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140654.html
http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140655.html
http://lists.opensuse.org/opensuse-updates/2015-03/msg00092.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
http://www.securityfocus.com/bid/70099
https://security.gentoo.org/glsa/201609-02
http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html
http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140609.html
http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140654.html
http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140655.html
http://lists.opensuse.org/opensuse-updates/2015-03/msg00092.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
http://www.securityfocus.com/bid/70099
https://security.gentoo.org/glsa/201609-02