openEuler update for rubygem-bundler

Published: 2021-12-31

Risk	Low
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2021-43809
CWE-ID	CWE-88
Exploitation vector	Local
Public exploit	N/A
Vulnerable software	openEuler Operating systems & Components / Operating system rubygem-bundler-help Operating systems & Components / Operating system package or component rubygem-bundler Operating systems & Components / Operating system package or component
Vendor	openEuler

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Improper Neutralization of Argument Delimiters in a Command

EUVDB-ID: #VU85298

Risk: Low

CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-43809

CWE-ID: CWE-88 - Argument Injection or Modification

Exploit availability: No

Description

The vulnerability allows a local user to execute arbitrary code on the target system.

The vulnerability occurs when working with untrusted and apparently harmless `Gemfile`'s. A local user can trick the victim into opening a specially crafted directory containing a `Gemfile` file that declares a dependency that is located in a Git repository and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 20.03 LTS SP1 - 20.03 LTS SP2

rubygem-bundler-help: before 2.2.33-1

rubygem-bundler: before 2.2.33-1

CPE2.3

External links

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1480

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.