Bundler · Bundler · CVE-2020-36327
Name of the Vulnerable Software and Affected Versions:
Bundler versions 1.16.0 through 2.2.9
Bundler versions 2.2.11 through 2.2.16
Description:
The issue sometimes chooses a dependency source based on the highest gem version number. This means a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem explicitly depended on by the application.
Recommendations:
For Bundler versions 1.16.0 through 2.2.9, consider updating to a version outside of this range to mitigate the risk.
For Bundler versions 2.2.11 through 2.2.16, consider updating to a version outside of this range to mitigate the risk.
As a temporary workaround, consider restricting the use of public gem sources to minimize the risk of exploitation.