Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every Dependency Confusion issue in every product.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Bundler | Bundler | 1.16.0 (including) | 2.2.10 (excluding) |
| Bundler | Bundler | 2.2.11 (including) | 2.2.16 (including) |
| Red Hat Enterprise Linux 8 | RedHat | ruby:2.7-8040020210728141159.522a0ee4 | * |
| Red Hat Enterprise Linux 8 | RedHat | ruby:2.6-8050020211215144356.c5368500 | * |
| Red Hat Enterprise Linux 8 | RedHat | ruby:2.5-8050020220112131355.c5368500 | * |
| Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions | RedHat | ruby:2.5-8010020220201125517.c27ad7f8 | * |
| Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions | RedHat | ruby:2.6-8010020220201152941.c27ad7f8 | * |
| Red Hat Enterprise Linux 8.2 Extended Update Support | RedHat | ruby:2.5-8020020220201125131.4cda2c84 | * |
| Red Hat Enterprise Linux 8.2 Extended Update Support | RedHat | ruby:2.6-8020020220201131207.4cda2c84 | * |
| Red Hat Enterprise Linux 8.4 Extended Update Support | RedHat | ruby:2.6-8040020220131135901.522a0ee4 | * |
| Red Hat Enterprise Linux 8.4 Extended Update Support | RedHat | ruby:2.5-8040020220201123518.522a0ee4 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | RedHat | rh-ruby27-ruby-0:2.7.4-130.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | RedHat | rh-ruby30-ruby-0:3.0.2-148.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | RedHat | rh-ruby26-ruby-0:2.6.9-120.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | RedHat | rh-ruby27-ruby-0:2.7.4-130.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | RedHat | rh-ruby30-ruby-0:3.0.2-148.el7 | * |
| Bundler | Ubuntu | bionic | * |
| Bundler | Ubuntu | focal | * |
| Bundler | Ubuntu | groovy | * |
| Bundler | Ubuntu | hirsute | * |
| Bundler | Ubuntu | trusty | * |
| Bundler | Ubuntu | xenial | * |
References
- https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html
- https://github.com/rubygems/rubygems/issues/3982
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL/
- https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things/
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105
- https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327/
- https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html
- https://github.com/rubygems/rubygems/issues/3982
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL/
- https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things/
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105
- https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327/