CVE-2016-7954

Bundler 1.x might allow remote attackers to inject arbitrary Ruby code into an application by leveraging a gem name collision on a secondary source.  NOTE: this might overlap CVE-2013-0334.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 85%
VendorProductVersion
bundlerbundler
1.0.0
bundlerbundler
1.0.0:beta1
bundlerbundler
1.0.0:beta10
bundlerbundler
1.0.0:beta6
bundlerbundler
1.0.0:beta7
bundlerbundler
1.0.0:beta8
bundlerbundler
1.0.0:beta9
bundlerbundler
1.0.0:rc1
bundlerbundler
1.0.0:rc2
bundlerbundler
1.0.0:rc3
bundlerbundler
1.0.0:rc4
bundlerbundler
1.0.0:rc5
bundlerbundler
1.0.0:rc6
bundlerbundler
1.0.1
bundlerbundler
1.0.2
bundlerbundler
1.0.3
bundlerbundler
1.0.4
bundlerbundler
1.0.5
bundlerbundler
1.0.6
bundlerbundler
1.0.7
bundlerbundler
1.0.8
bundlerbundler
1.0.9
bundlerbundler
1.0.10
bundlerbundler
1.0.11
bundlerbundler
1.0.12
bundlerbundler
1.0.13
bundlerbundler
1.0.14
bundlerbundler
1.0.15
bundlerbundler
1.0.16
bundlerbundler
1.0.17
bundlerbundler
1.0.18
bundlerbundler
1.0.19:rc
bundlerbundler
1.0.20
bundlerbundler
1.0.20:rc
bundlerbundler
1.0.21
bundlerbundler
1.0.21:rc
bundlerbundler
1.1:pre
bundlerbundler
1.1:pre1
bundlerbundler
1.1:pre10
bundlerbundler
1.1:pre2
bundlerbundler
1.1:pre3
bundlerbundler
1.1:pre4
bundlerbundler
1.1:pre5
bundlerbundler
1.1:pre6
bundlerbundler
1.1:pre7
bundlerbundler
1.1:pre8
bundlerbundler
1.1:pre9
bundlerbundler
1.1:rc
bundlerbundler
1.1:rc2
bundlerbundler
1.1:rc3
bundlerbundler
1.1:rc4
bundlerbundler
1.1:rc5
bundlerbundler
1.1:rc6
bundlerbundler
1.1:rc7
bundlerbundler
1.1:rc8
bundlerbundler
1.1.0
bundlerbundler
1.1.1
bundlerbundler
1.1.2
bundlerbundler
1.1.3
bundlerbundler
1.1.4
bundlerbundler
1.1.5
bundlerbundler
1.2.0
bundlerbundler
1.2.0:pre
bundlerbundler
1.2.0:pre1
bundlerbundler
1.2.0:rc
bundlerbundler
1.2.0:rc2
bundlerbundler
1.2.1
bundlerbundler
1.2.2
bundlerbundler
1.2.3
bundlerbundler
1.2.4
bundlerbundler
1.2.5
bundlerbundler
1.3.0
bundlerbundler
1.3.0:pre
bundlerbundler
1.3.0:pre2
bundlerbundler
1.3.0:pre3
bundlerbundler
1.3.0:pre4
bundlerbundler
1.3.0:pre5
bundlerbundler
1.3.0:pre6
bundlerbundler
1.3.0:pre7
bundlerbundler
1.3.0:pre8
bundlerbundler
1.3.1
bundlerbundler
1.3.2
bundlerbundler
1.3.3
bundlerbundler
1.3.4
bundlerbundler
1.3.5
bundlerbundler
1.3.6
bundlerbundler
1.4.0:pre1
bundlerbundler
1.4.0:rc1
bundlerbundler
1.5.0
bundlerbundler
1.5.0:rc1
bundlerbundler
1.5.0:rc2
bundlerbundler
1.5.1
bundlerbundler
1.5.2
bundlerbundler
1.5.3
bundlerbundler
1.6.0
bundlerbundler
1.6.1
bundlerbundler
1.6.2
bundlerbundler
1.6.3
bundlerbundler
1.6.4
bundlerbundler
1.6.5
bundlerbundler
1.6.6
bundlerbundler
1.6.7
bundlerbundler
1.7.0
bundlerbundler
1.7.1
bundlerbundler
1.7.2
bundlerbundler
1.7.3
bundlerbundler
1.7.4
bundlerbundler
1.7.5
bundlerbundler
1.7.6
bundlerbundler
1.7.7
bundlerbundler
1.7.8
bundlerbundler
1.7.9
bundlerbundler
1.7.10
bundlerbundler
1.7.11
bundlerbundler
1.7.12
bundlerbundler
1.7.13
bundlerbundler
1.7.14
bundlerbundler
1.7.15
bundlerbundler
1.8.0
bundlerbundler
1.8.0:pre
bundlerbundler
1.8.0:rc
bundlerbundler
1.8.1
bundlerbundler
1.8.2
bundlerbundler
1.8.3
bundlerbundler
1.8.4
bundlerbundler
1.8.5
bundlerbundler
1.8.6
bundlerbundler
1.8.7
bundlerbundler
1.8.8
bundlerbundler
1.8.9
bundlerbundler
1.9.0
bundlerbundler
1.9.0:pre
bundlerbundler
1.9.0:pre1
bundlerbundler
1.9.0:rc
bundlerbundler
1.9.1
bundlerbundler
1.9.2
bundlerbundler
1.9.3
bundlerbundler
1.9.4
bundlerbundler
1.9.5
bundlerbundler
1.9.6
bundlerbundler
1.9.7
bundlerbundler
1.9.8
bundlerbundler
1.9.9
bundlerbundler
1.9.10
bundlerbundler
1.10.0
bundlerbundler
1.10.0:pre
bundlerbundler
1.10.0:pre1
bundlerbundler
1.10.0:pre2
bundlerbundler
1.10.0:rc
bundlerbundler
1.10.1
bundlerbundler
1.10.2
bundlerbundler
1.10.3
bundlerbundler
1.10.4
bundlerbundler
1.10.5
bundlerbundler
1.10.6
bundlerbundler
1.11.0
bundlerbundler
1.11.0:pre1
bundlerbundler
1.11.0:pre2
bundlerbundler
1.11.1
bundlerbundler
1.11.2
bundlerbundler
1.12.0
bundlerbundler
1.12.0:pre1
bundlerbundler
1.12.0:pre2
bundlerbundler
1.12.0:rc
bundlerbundler
1.12.0:rc2
bundlerbundler
1.12.0:rc3
bundlerbundler
1.12.0:rc4
bundlerbundler
1.12.1
bundlerbundler
1.12.2
bundlerbundler
1.12.3
bundlerbundler
1.12.4
bundlerbundler
1.12.5
bundlerbundler
1.12.6
bundlerbundler
1.13.0
bundlerbundler
1.13.0:pre1
bundlerbundler
1.13.0:rc1
bundlerbundler
1.13.0:rc2
bundlerbundler
1.13.1
bundlerbundler
1.13.2
bundlerbundler
1.13.3
bundlerbundler
1.13.4
bundlerbundler
1.13.5
bundlerbundler
1.13.6
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
bundler
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
dne
hirsute
not-affected
groovy
not-affected
focal
not-affected
eoan
ignored
disco
ignored
cosmic
ignored
bionic
deferred
artful
ignored
zesty
ignored
yakkety
ignored
xenial
deferred
trusty
dne
precise
dne
Common Weakness Enumeration
References
http://collectiveidea.com/blog/archives/2016/10/06/bundlers-multiple-source-security-vulnerability/
http://www.openwall.com/lists/oss-security/2016/10/04/5
http://www.openwall.com/lists/oss-security/2016/10/04/7
http://www.openwall.com/lists/oss-security/2016/10/05/3
http://www.securityfocus.com/bid/93423
https://bugzilla.redhat.com/show_bug.cgi?id=1381951
https://github.com/bundler/bundler/issues/5051
https://github.com/bundler/bundler/issues/5062
http://collectiveidea.com/blog/archives/2016/10/06/bundlers-multiple-source-security-vulnerability/
http://www.openwall.com/lists/oss-security/2016/10/04/5
http://www.openwall.com/lists/oss-security/2016/10/04/7
http://www.openwall.com/lists/oss-security/2016/10/05/3
http://www.securityfocus.com/bid/93423
https://bugzilla.redhat.com/show_bug.cgi?id=1381951
https://github.com/bundler/bundler/issues/5051
https://github.com/bundler/bundler/issues/5062