CVE-2013-0334 — MEDIUM (5.0)

Q: What is CVE-2013-0334?

CVE-2013-0334 is a vulnerability with a CVSS score of 5.0 (MEDIUM). Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

Q: How severe is CVE-2013-0334?

CVE-2013-0334 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2013-0334?

Check the references section above for vendor advisories and patch information. Affected products include: Bundler Bundler, Opensuse Opensuse, Fedoraproject Fedora.

Vulnerability Description

Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

CVSS Score

5.0

MEDIUM

AV:N/AC:L/Au:N/C:N/I:P/A:N

Confidentiality

NONE

Integrity

PARTIAL

Availability

NONE

Affected Products

Vendor	Product	Versions
Bundler	Bundler	< 1.7.0
Opensuse	Opensuse	13.1
Fedoraproject	Fedora	19

Related Weaknesses (CWE)

CWE-20

References

http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-sourVendor Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140609.htThird Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140654.htThird Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140655.htThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2015-03/msg00092.htmlThird Party Advisory
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.hThird Party Advisory
http://www.securityfocus.com/bid/70099Third Party AdvisoryVDB Entry
https://security.gentoo.org/glsa/201609-02Third Party Advisory
http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-sourVendor Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140609.htThird Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140654.htThird Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140655.htThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2015-03/msg00092.htmlThird Party Advisory
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.hThird Party Advisory
http://www.securityfocus.com/bid/70099Third Party AdvisoryVDB Entry

FAQ

What is CVE-2013-0334?

CVE-2013-0334 is a vulnerability with a CVSS score of 5.0 (MEDIUM). Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

How severe is CVE-2013-0334?

CVE-2013-0334 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2013-0334?

Check the references section above for vendor advisories and patch information. Affected products include: Bundler Bundler, Opensuse Opensuse, Fedoraproject Fedora.