CVE-2021-24105

Name of the Vulnerable Software and Affected Versions: Bundler versions 1.16.0 through 2.2.9 Bundler versions 2.2.11 through 2.2.17 Python/pip (affected versions not specified) .NET/NuGet (affected versions not specified) Java/Maven (affected versions not specified) JavaScript/npm (affected versions not specified)

Description: The issue allows an attacker to insert a malicious package into a package manager's repository, which can lead to remote code execution. This can affect multiple package managers across different languages. An attacker can create a malicious package with a high version number and publish it to a public repository, causing vulnerable machines to download and install it. The attack can occur at various levels, including developer machines, teams, continuous integration pipelines, and customers. The estimated number of potentially affected devices worldwide is not specified.

Recommendations: For Bundler versions 1.16.0 through 2.2.9 and 2.2.11 through 2.2.17, reconfigure the installation tools and workflows to prioritize private gems over public ones. For Python/pip, reconfigure the package manager to avoid dependency confusion. For .NET/NuGet, reconfigure the package manager to avoid dependency confusion. For Java/Maven, reconfigure the package manager to avoid dependency confusion. For JavaScript/npm, reconfigure the package manager to avoid dependency confusion. As a temporary workaround, consider restricting access to public package repositories until a proper configuration is in place. Avoid using packages with high version numbers from untrusted sources.