CVE-2020-36327: Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product. URL indicates this is properly fixed in 2.2.18, so please stabilize.
Package list is empty or all packages have requested keywords.
Ping.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=cf9015f3dee372a335e1d143abb09a32c988e7fa commit cf9015f3dee372a335e1d143abb09a32c988e7fa Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-08-10 08:23:41 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-08-10 08:23:53 +0000 [ GLSA 202408-22 ] Bundler: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/743214 Bug: https://bugs.gentoo.org/798135 Bug: https://bugs.gentoo.org/828884 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202408-22.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+)