CVE-2020-36327 — Vulnetix

Try Vulnetix Request Demo

CVE-2020-36327 PUBLISHED

Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product.

EPSS 24.73% · 96.1th percentile

Risk Scores

EPSS Score

24.73%

96.1th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:Pro:18.04:LTS	bundler	0, 1.15.1-1, 1.16.1-1
Ubuntu:16.04:LTS	bundler	0, 1.10.6-1, 1.10.6-2
Ubuntu:20.04:LTS	bundler	0, 1.17.3-3, 2.1.4-1

Timeline

Apr 29, 2021 CVE Published
Apr 29, 2021 EPSS Score
May 13, 2021 EPSS Score
May 18, 2021 EPSS Score
Jul 30, 2021 CVE Updated
Feb 4, 2022 EPSS Score
Apr 6, 2022 EPSS Score
Mar 7, 2023 EPSS Score
Mar 21, 2025 EPSS Score
Mar 29, 2025 EPSS Score
Apr 1, 2025 EPSS Score
Apr 2, 2025 EPSS Score

References

https://ubuntu.com/security/CVE-2020-36327 third-party-advisory
https://github.com/rubygems/rubygems/issues/3982 third-party-advisory
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105 third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2020-36327 third-party-advisory

Open in Interactive Console →