GHSA-jvgm-pfqv-887x

Source

https://github.com/advisories/GHSA-jvgm-pfqv-887x

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jvgm-pfqv-887x/GHSA-jvgm-pfqv-887x.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-jvgm-pfqv-887x

Aliases

CVE-2016-7954

Published

2022-05-14T00:57:16Z

Modified

2025-04-14T22:27:57.972251Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Bundler allows attacker to inject arbitrary code via secondary Gem source

Details

Bundler 1.x might allow remote attackers to inject arbitrary Ruby code into an application by leveraging a gem name collision on a secondary source. NOTE: this might overlap CVE-2013-0334.

Database specific

{
    "nvd_published_at": "2016-12-22T22:59:00Z",
    "severity": "CRITICAL",
    "github_reviewed_at": "2023-06-23T21:46:31Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-94"
    ]
}

References

Affected packages

RubyGems / bundler

Package

Name: bundler
Purl: pkg:gem/bundler

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.0.0

Fixed

2.0.0

Affected versions

1.*

1.0.0

1.0.2

1.0.3

1.0.5

1.0.7

1.0.9

1.0.10

1.0.11

1.0.12

1.0.13

1.0.14

1.0.15

1.0.17

1.0.18

1.0.19.rc

1.0.20.rc

1.0.20

1.0.21.rc

1.0.21

1.0.22

1.1.pre

1.1.pre.1

1.1.pre.2

1.1.pre.3

1.1.pre.4

1.1.pre.5

1.1.pre.7

1.1.pre.8

1.1.pre.9

1.1.pre.10

1.1.rc

1.1.rc.2

1.1.rc.3

1.1.rc.5

1.1.rc.6

1.1.rc.7

1.1.rc.8

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.2.0.pre

1.2.0.pre.1

1.2.0.rc

1.2.0.rc.2

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.3.0.pre

1.3.0.pre.2

1.3.0.pre.3

1.3.0.pre.4

1.3.0.pre.5

1.3.0.pre.6

1.3.0.pre.7

1.3.0.pre.8

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

1.3.6

1.4.0.pre.1

1.4.0.pre.2

1.4.0.rc.1

1.5.0.rc.1

1.5.0.rc.2

1.5.0

1.5.1

1.5.2

1.5.3

1.6.0.pre.1

1.6.0.pre.2

1.6.0.rc

1.6.0.rc2

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

1.6.6

1.6.7

1.6.8

1.6.9

1.7.0

1.7.1.pre

1.7.1.pre.2

1.7.1.pre.3

1.7.1

1.7.2

1.7.3

1.7.4

1.7.5

1.7.6

1.7.7

1.7.8

1.7.9

1.7.10

1.7.11

1.7.12

1.7.13

1.7.14

1.7.15

1.8.0.pre

1.8.0

1.8.1

1.8.2

1.8.3

1.8.4

1.8.5

1.8.6

1.8.7

1.8.8

1.8.9

1.9.0.pre

1.9.0.pre.1

1.9.0.rc

1.9.0

1.9.1

1.9.2

1.9.3

1.9.4

1.9.5

1.9.6

1.9.7

1.9.8

1.9.9

1.9.10

1.10.0.pre

1.10.0.pre.1

1.10.0.pre.2

1.10.0.rc

1.10.0

1.10.1

1.10.2

1.10.3

1.10.4

1.10.5

1.10.6

1.11.0.pre.1

1.11.0.pre.2

1.11.0

1.11.1

1.11.2

1.12.0.pre.1

1.12.0.pre.2

1.12.0.rc

1.12.0.rc.2

1.12.0.rc.3

1.12.0.rc.4

1.12.0

1.12.1

1.12.2

1.12.3

1.12.4

1.12.5

1.12.6

1.13.0.pre.1

1.13.0.rc.1

1.13.0.rc.2

1.13.0

1.13.1

1.13.2

1.13.3

1.13.4

1.13.5

1.13.6

1.13.7

1.14.0.pre.1

1.14.0.pre.2

1.14.0

1.14.1

1.14.2

1.14.3

1.14.4

1.14.5

1.14.6

1.15.0.pre.1

1.15.0.pre.2

1.15.0.pre.3

1.15.0.pre.4

1.15.0

1.15.1

1.15.2

1.15.3

1.15.4

1.16.0.pre.1

1.16.0.pre.2

1.16.0.pre.3

1.16.0

1.16.1

1.16.2

1.16.3

1.16.4

1.16.5

1.16.6

1.17.0.pre.1

1.17.0.pre.2

1.17.0

1.17.1

1.17.2

1.17.3

2.*

2.0.0.pre.1

2.0.0.pre.2

2.0.0.pre.3