CVE-2019-3881

EUVD-2021-1077
Bundler prior to 2.1.0 uses a predictable path in /tmp/, created with insecure permissions as a storage location for gems, if locations under the user's home directory are not available. If Bundler is used in a scenario where the user does not have a writable home directory, an attacker could place malicious code in this directory that would be later loaded and executed.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 24%
Affected Products (NVD)
VendorProductVersion
bundlerbundler
𝑥
< 2.1.0
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
bundler
bionic
Fixed 1.16.1-1ubuntu0.1~esm1
released
disco
not-affected
eoan
not-affected
focal
not-affected
groovy
not-affected
hirsute
not-affected
impish
dne
jammy
dne
kinetic
dne
lunar
dne
trusty
dne
xenial
not-affected
Common Weakness Enumeration
References
https://bugzilla.redhat.com/show_bug.cgi?id=1651826
https://bugzilla.redhat.com/show_bug.cgi?id=1651826