CVE-2016-7954
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2016-7954
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-7954.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2016-7954
- Aliases
- Downstream
- Published
- 2016-12-22T22:59:00.123Z
- Modified
- 2025-12-06T20:55:45.586852Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Bundler 1.x might allow remote attackers to inject arbitrary Ruby code into an application by leveraging a gem name collision on a secondary source. NOTE: this might overlap CVE-2013-0334.
- References
-
- http://collectiveidea.com/blog/archives/2016/10/06/bundlers-multiple-source-security-vulnerability/
- http://www.openwall.com/lists/oss-security/2016/10/04/5
- http://www.openwall.com/lists/oss-security/2016/10/04/7
- http://www.openwall.com/lists/oss-security/2016/10/05/3
- http://www.securityfocus.com/bid/93423
- https://github.com/bundler/bundler/issues/5051
- https://github.com/bundler/bundler/issues/5062
- https://bugzilla.redhat.com/show_bug.cgi?id=1381951
Affected packages
Git / github.com/bundler/bundler
Affected ranges
- Type
- GIT
- Repo
- https://github.com/bundler/bundler
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affected
Affected versions
0.*
0.9.10
0.9.11
0.9.12
0.9.13
0.9.14
0.9.15
0.9.16
0.9.17
0.9.18
0.9.19
0.9.20
0.9.21
0.9.22
0.9.23
0.9.24
0.9.25
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7
0.9.8
0.9.9
1.*
1.0.0
1.0.0.beta.1
1.0.0.beta.10
1.0.0.beta.2
1.0.0.beta.3
1.0.0.beta.4
1.0.0.beta.5
1.0.0.beta.6
1.0.0.beta.7
1.0.0.beta.8
1.0.0.beta.9
1.0.0.rc.1
1.0.0.rc.2
1.0.0.rc.3
1.0.0.rc.4
1.0.0.rc.5
1.0.0.rc.6
v0.*
v0.9.0
v0.9.0.pre3
v0.9.0.pre4
v0.9.0.pre5
v1.*
v1.0.0
v1.0.1
v1.0.10
v1.0.11
v1.0.12
v1.0.13
v1.0.14
v1.0.15
v1.0.16
v1.0.17
v1.0.18
v1.0.19.rc
v1.0.2
v1.0.20
v1.0.20.rc
v1.0.21
v1.0.21.rc
v1.0.3
v1.0.4
v1.0.5
v1.0.6
v1.0.7
v1.0.8
v1.0.9
v1.1.0
v1.1.1
v1.1.2
v1.1.3
v1.1.5
v1.1.pre
v1.1.pre.1
v1.1.pre.10
v1.1.pre.2
v1.1.pre.3
v1.1.pre.4
v1.1.pre.5
v1.1.pre.6
v1.1.pre.7
v1.1.pre.8
v1.1.pre.9
v1.1.rc
v1.1.rc.2
v1.1.rc.3
v1.1.rc.4
v1.1.rc.5
v1.1.rc.6
v1.1.rc.7
v1.1.rc.8
v1.2.0
v1.2.0.pre
v1.2.0.pre.1
v1.2.0.rc
v1.2.0.rc.2
v1.2.1
v1.2.2
v1.2.3
v1.2.4
v1.2.5
v1.3.0
v1.3.0.pre
v1.3.0.pre.2
v1.3.0.pre.3
v1.3.0.pre.4
v1.3.0.pre.5
v1.3.0.pre.6
v1.3.0.pre.7
v1.3.0.pre.8
v1.3.1
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.4.0.pre.1
v1.4.0.pre.2
v1.4.0.rc.1
v1.5.0
v1.5.0.rc.1
v1.5.0.rc.2
v1.5.1
v1.5.2
v1.5.3
v1.6.0
v1.6.0.pre.1
v1.6.0.pre.2
v1.6.0.rc
v1.6.0.rc2
v1.6.1
v1.6.2
v1.6.3
v1.6.4
v1.6.5
v1.6.6
v1.6.7
v1.7.0
v1.7.1
v1.7.1.pre
v1.7.1.pre.2
v1.7.1.pre.3
v1.7.10
v1.7.11
v1.7.12
v1.7.13
v1.7.2
v1.7.3
v1.7.4
v1.7.5
v1.7.6
v1.7.7
v1.7.8
v1.7.9
v1.8.0
v1.8.0.pre
v1.8.1
v1.8.2
v1.8.3
v1.8.4
v1.8.5
v1.9.0
v1.9.0.pre
v1.9.0.pre.1
v1.9.0.rc
v1.9.1
Git / github.com/rubygems/rubygems
Affected ranges
- Type
- GIT
- Repo
- https://github.com/rubygems/rubygems
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affected