Rapid7 Vulnerability & Exploit Database

Oracle Linux: CVE-2020-36327: ELSA-2022-0543: ruby:2.6 security update (IMPORTANT) (Multiple Advisories)

Free InsightVM Trial No Credit Card Necessary

2024 Attack Intel Report Latest research by Rapid7 Labs

Back to Search

Oracle Linux: CVE-2020-36327: ELSA-2022-0543: ruby:2.6 security update (IMPORTANT) (Multiple Advisories)

Severity

CVSS

(AV:N/AC:L/Au:N/C:C/I:C/A:C)

Published

02/09/2021

Created

08/10/2021

Added

08/07/2021

Modified

12/17/2024

Description

Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product. A flaw was found in the way Bundler determined the source repository when installing dependencies of source-restricted gem packages. In configurations that use multiple gem repositories and explicitly define from which source repository certain gems are to be installed, a dependency of a source-restricted gem could be installed form a different source if that repository provided higher version of the package. This could lead to installation of a malicious gem version and arbitrary code execution.

Solution(s)

oracle-linux-upgrade-ruby
oracle-linux-upgrade-ruby-default-gems
oracle-linux-upgrade-ruby-devel
oracle-linux-upgrade-ruby-doc
oracle-linux-upgrade-rubygem-bigdecimal
oracle-linux-upgrade-rubygem-bundler
oracle-linux-upgrade-rubygem-io-console
oracle-linux-upgrade-rubygem-irb
oracle-linux-upgrade-rubygem-json
oracle-linux-upgrade-rubygem-minitest
oracle-linux-upgrade-rubygem-net-telnet
oracle-linux-upgrade-rubygem-openssl
oracle-linux-upgrade-rubygem-power-assert
oracle-linux-upgrade-rubygem-psych
oracle-linux-upgrade-rubygem-rake
oracle-linux-upgrade-rubygem-rdoc
oracle-linux-upgrade-rubygems
oracle-linux-upgrade-rubygems-devel
oracle-linux-upgrade-rubygem-test-unit
oracle-linux-upgrade-rubygem-xmlrpc
oracle-linux-upgrade-ruby-libs

References

https://attackerkb.com/topics/cve-2020-36327
CVE - 2020-36327
ELSA-2022-0543
ELSA-2022-0545
ELSA-2021-3020

Advanced vulnerability management analytics and reporting.

Key Features

Lightweight Endpoint Agent
Live Dashboards
Real Risk Prioritization
IT-Integrated Remediation Projects
Cloud, Virtual, and Container Assessment
Integrated Threat Feeds
Easy-to-Use RESTful API
Automation-Assisted Patching
Automated Containment

Free InsightVM Trial View All Features

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;

Rapid7 Vulnerability & Exploit Database

Oracle Linux: CVE-2020-36327: ELSA-2022-0543: ruby:2.6 security update (IMPORTANT) (Multiple Advisories)

Oracle Linux: CVE-2020-36327: ELSA-2022-0543: ruby:2.6 security update (IMPORTANT) (Multiple Advisories)

Description

Solution(s)

References

Submit your information and we will get in touch with you.

Thank you for contacting us.

We will be in touch shortly.