CVE-2020-36327

CVSS v2.0

9.3

High

Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions: Bundler versions 1.16.0 through 2.2.9 Bundler versions 2.2.11 through 2.2.16

Description: The issue sometimes chooses a dependency source based on the highest gem version number. This means a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem explicitly depended on by the application.

Recommendations: For Bundler versions 1.16.0 through 2.2.9, consider updating to a version outside of this range to mitigate the risk. For Bundler versions 2.2.11 through 2.2.16, consider updating to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting the use of public gem sources to minimize the risk of exploitation.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

ALSA-2021:3020

ALSA-2021_3020

ALSA-2022:0543

ALSA-2022:0545

ALSA-2022_0543

ALSA-2022_0545

ALSA-2025_16880

CESA-2021_3020

CESA-2022_0543

CESA-2022_0545

CVE-2020-36327

ELSA-2021-3020

ELSA-2022-0543

ELSA-2022-0545

GHSA-FP4W-JXHP-M23P

MGASA-2021-0579

OESA-2021-1258

OPENSUSE-SU-2025_1294-1

RHSA-2021:3020

RHSA-2021:3559

RHSA-2021:3982

RHSA-2021_3020

RHSA-2022:0543

RHSA-2022:0544

RHSA-2022:0545

RHSA-2022:0546

RHSA-2022:0547

RHSA-2022:0548

RHSA-2022:0581

RHSA-2022:0582

RHSA-2022:0708

RHSA-2022_0543

RHSA-2022_0545

RLSA-2021:3020

RLSA-2021_3020

RLSA-2022:0543

RLSA-2022:0545

RLSA-2022_0543

RLSA-2022_0545

SUSE-SU-2025:1294-1

SUSE-SU-2025_1294-1

SUSE-SU-2026:1355-1

Affected Products

Almalinux

Bundler

Centos

Debian

Red Hat

Rocky Linux

Suse

CVE-2020-36327

Related Identifiers

Affected Products

References · 69