SNYK-RUBY-BUNDLER-1078261
## Overview Affected versions of this package are vulnerable to Unsafe Dependency Resolution. An issue exist in bundler regarding the priority for transitive dependencies and split lockfile rubygems source sections. This could lead to a dependency confusion attack where gems are resolved incorrectly. ## Remediation Upgrade `bundler` to version 2.2.10, 2.2.16 or higher. ## References - [Dependency Confusion](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610) - [GitHub Changelog](https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#security-fixes) - [GitHub PR](https://github.com/rubygems/rubygems/pull/3655) - [RubyGems dependency confusion attack side of things](https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things/)
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
Timeline
- Feb 15, 2021 CVE Updated
- Feb 22, 2021 CVE Published
References
- https://security.snyk.io/vuln/SNYK-RUBY-BUNDLER-1078261 advisory
- https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 technical
- https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#security-fixes vendor
- https://github.com/rubygems/rubygems/pull/3655 patch
- https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things/ technical