#VU658 Insecure installation in bundler - CVE-2013-0334

Cybersecurity Help s.r.o.

Published: 2016-09-26

Vulnerability identifier: #VU658

Vulnerability risk: Medium

CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2013-0334

CWE-ID: CWE-345

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
bundler
Universal components / Libraries / Software for developers

Vendor: Bundler

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to logic error within Bundler installation process, when handling gemfiles with multiple top-level sources. The application dies not control the installation source and may allow installing gem file from a different server from the list, if the server in question contains the gem file with the same name.

The attack could be launched using malicious gem file on a public repository, such as gems.github.com. A remote attacker can create a malicious gem file, which will be fetched and executed during installation.

Successful exploitation of the vulnerability may result in compromise of vulnerable system.

Mitigation
Update to Bundler 1.7.

Vulnerable software versions

bundler: 0.3.0 - 1.6.9

External links
https://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve...

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Security update for Bundler in Gentoo Linux

Red Hat update for rubygem-bundler and rubygem-thor

Insecure installation in ruby-actionmailer (Alpine package)

Fedora 21 update for rubygem-bundler

Remote code execution in Bundler