CVE-2020-36327 log
| Source |
|
| Severity | Medium |
| Remote | Yes |
| Type | Insufficient validation |
| Description | Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.17 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. |
| Group | Package | Affected | Fixed | Severity | Status | Ticket |
|---|---|---|---|---|---|---|
| AVG-1891 | ruby-bundler | 2.2.17-1 | 2.2.18-1 | Medium | Fixed |
| Date | Advisory | Group | Package | Severity | Type |
|---|---|---|---|---|---|
| 01 Jun 2021 | ASA-202106-14 | AVG-1891 | ruby-bundler | Medium | insufficient validation |
| References |
|---|
https://github.com/rubygems/rubygems/issues/3982 https://github.com/rubygems/rubygems/pull/4609 https://github.com/rubygems/rubygems/commit/d68d3cdb9cc69f648f87e5d3f25881677c1179ea |