CVE-2013-0334
Bundler < 1.7.0 - Arbitrary Gem Installation via Duplicate Gem Name in Multiple Sources
Title source: llmDescription
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.
References (8)
Core 8
Core References
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201609-02
Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140609.html
Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140654.html
Vendor Advisory x_refsource_confirm
http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html
Third Party Advisory x_refsource_confirm
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140655.html
Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2015-03/msg00092.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/70099
Scores
EPSS
0.0050
EPSS Percentile
66.1%
Details
CWE
CWE-20
Status
published
Products (7)
bundler/bundler
< 1.7.0
fedoraproject/fedora
19
fedoraproject/fedora
20
fedoraproject/fedora
21
opensuse/opensuse
13.1
opensuse/opensuse
13.2
rubygems/bundler
0 - 1.7.0RubyGems
Published
Oct 31, 2014
Tracked Since
Feb 18, 2026