CVE-2020-36327 log

Source
Severity Medium
Remote Yes
Type Insufficient validation
Description
Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.17 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application.
Group Package Affected Fixed Severity Status Ticket
AVG-1891 ruby-bundler 2.2.17-1 2.2.18-1 Medium Fixed
Date Advisory Group Package Severity Type
01 Jun 2021 ASA-202106-14 AVG-1891 ruby-bundler Medium insufficient validation
References
https://github.com/rubygems/rubygems/issues/3982
https://github.com/rubygems/rubygems/pull/4609
https://github.com/rubygems/rubygems/commit/d68d3cdb9cc69f648f87e5d3f25881677c1179ea