Home

CVE-2019-3881

Description

Bundler prior to 2.1.0 uses a predictable path in /tmp/, created with insecure permissions as a storage location for gems, if locations under the users home directory are not available. If Bundler is used in a scenario where the user does not have a writable home directory, an attacker could place malicious code in this directory that would be later loaded and executed.

Risk Information

Base Score
7.8
MODERATE
Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
0.085

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2019-3881 are fixed in Ruby-bundler 2.1.0Windows
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update ruby-2.6.7-107.module+el8.4.0+10830+bbd85cce.i686.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update ruby-2.6.7-107.module+el8.4.0+10830+bbd85cce.x86_64.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update ruby-debugsource-2.6.7-107.module+el8.4.0+10830+bbd85cce.i686.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update ruby-debugsource-2.6.7-107.module+el8.4.0+10830+bbd85cce.x86_64.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update ruby-devel-2.6.7-107.module+el8.4.0+10830+bbd85cce.i686.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update ruby-devel-2.6.7-107.module+el8.4.0+10830+bbd85cce.x86_64.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update ruby-doc-2.6.7-107.module+el8.4.0+10830+bbd85cce.noarch.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update ruby-libs-2.6.7-107.module+el8.4.0+10830+bbd85cce.i686.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update ruby-libs-2.6.7-107.module+el8.4.0+10830+bbd85cce.x86_64.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update rubygem-abrt-0.3.0-4.module+el8.1.0+3653+beb38eb0.noarch.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update rubygem-abrt-doc-0.3.0-4.module+el8.1.0+3653+beb38eb0.noarch.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update rubygem-bigdecimal-1.4.1-107.module+el8.4.0+10830+bbd85cce.i686.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update rubygem-bigdecimal-1.4.1-107.module+el8.4.0+10830+bbd85cce.x86_64.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update rubygem-bson-4.5.0-1.module+el8.1.0+3653+beb38eb0.x86_64.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update rubygem-bson-debugsource-4.5.0-1.module+el8.1.0+3653+beb38eb0.x86_64.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update rubygem-bson-doc-4.5.0-1.module+el8.1.0+3653+beb38eb0.noarch.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update rubygem-bundler-1.17.2-107.module+el8.4.0+10830+bbd85cce.noarch.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update rubygem-did_you_mean-1.3.0-107.module+el8.4.0+10830+bbd85cce.noarch.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update rubygem-io-console-0.4.7-107.module+el8.4.0+10830+bbd85cce.i686.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update rubygem-io-console-0.4.7-107.module+el8.4.0+10830+bbd85cce.x86_64.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update rubygem-irb-1.0.0-107.module+el8.4.0+10830+bbd85cce.noarch.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update rubygem-json-2.1.0-107.module+el8.4.0+10830+bbd85cce.i686.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update rubygem-json-2.1.0-107.module+el8.4.0+10830+bbd85cce.x86_64.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update rubygem-minitest-5.11.3-107.module+el8.4.0+10830+bbd85cce.noarch.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update rubygem-mongo-2.8.0-1.module+el8.1.0+3653+beb38eb0.noarch.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update rubygem-mongo-doc-2.8.0-1.module+el8.1.0+3653+beb38eb0.noarch.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update rubygem-mysql2-0.5.2-1.module+el8.1.0+3653+beb38eb0.x86_64.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update rubygem-mysql2-debugsource-0.5.2-1.module+el8.1.0+3653+beb38eb0.x86_64.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update rubygem-mysql2-doc-0.5.2-1.module+el8.1.0+3653+beb38eb0.noarch.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update rubygem-net-telnet-0.2.0-107.module+el8.4.0+10830+bbd85cce.noarch.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update rubygem-openssl-2.1.2-107.module+el8.4.0+10830+bbd85cce.i686.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update rubygem-openssl-2.1.2-107.module+el8.4.0+10830+bbd85cce.x86_64.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update rubygem-pg-1.1.4-1.module+el8.1.0+3653+beb38eb0.x86_64.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update rubygem-pg-debugsource-1.1.4-1.module+el8.1.0+3653+beb38eb0.x86_64.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update rubygem-pg-doc-1.1.4-1.module+el8.1.0+3653+beb38eb0.noarch.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update rubygem-power_assert-1.1.3-107.module+el8.4.0+10830+bbd85cce.noarch.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update rubygem-psych-3.1.0-107.module+el8.4.0+10830+bbd85cce.i686.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update rubygem-psych-3.1.0-107.module+el8.4.0+10830+bbd85cce.x86_64.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update rubygem-rake-12.3.3-107.module+el8.4.0+10830+bbd85cce.noarch.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update rubygem-rdoc-6.1.2-107.module+el8.4.0+10830+bbd85cce.noarch.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update rubygem-test-unit-3.2.9-107.module+el8.4.0+10830+bbd85cce.noarch.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update rubygem-xmlrpc-0.3.0-107.module+el8.4.0+10830+bbd85cce.noarch.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update rubygems-3.0.3.1-107.module+el8.4.0+10830+bbd85cce.noarch.rpmLinux
(RHSA-2021:2588) ruby:2.6 security, bug fix, and enhancement update rubygems-devel-3.0.3.1-107.module+el8.4.0+10830+bbd85cce.noarch.rpmLinux
Ruby update (ELSA-2021-2588) ruby-2.6.7-107.module+el8.4.0+20235+1e5b8be3.i686.rpmLinux
Ruby update (ELSA-2021-2588) ruby-2.6.7-107.module+el8.4.0+20235+1e5b8be3.x86_64.rpmLinux
Ruby-devel update (ELSA-2021-2588) ruby-devel-2.6.7-107.module+el8.4.0+20235+1e5b8be3.i686.rpmLinux
Ruby-devel update (ELSA-2021-2588) ruby-devel-2.6.7-107.module+el8.4.0+20235+1e5b8be3.x86_64.rpmLinux
Ruby-doc update (ELSA-2021-2588) ruby-doc-2.6.7-107.module+el8.4.0+20235+1e5b8be3.noarch.rpmLinux
Ruby-libs update (ELSA-2021-2588) ruby-libs-2.6.7-107.module+el8.4.0+20235+1e5b8be3.i686.rpmLinux
Ruby-libs update (ELSA-2021-2588) ruby-libs-2.6.7-107.module+el8.4.0+20235+1e5b8be3.x86_64.rpmLinux
Rubygem-abrt update (ELSA-2021-2588) rubygem-abrt-0.3.0-4.module+el8.1.0+5406+ce01f9b9.noarch.rpmLinux
Rubygem-abrt-doc update (ELSA-2021-2588) rubygem-abrt-doc-0.3.0-4.module+el8.1.0+5406+ce01f9b9.noarch.rpmLinux
Rubygem-bigdecimal update (ELSA-2021-2588) rubygem-bigdecimal-1.4.1-107.module+el8.4.0+20235+1e5b8be3.i686.rpmLinux
Rubygem-bigdecimal update (ELSA-2021-2588) rubygem-bigdecimal-1.4.1-107.module+el8.4.0+20235+1e5b8be3.x86_64.rpmLinux
Rubygem-bson update (ELSA-2021-2588) rubygem-bson-4.5.0-1.module+el8.4.0+20235+1e5b8be3.x86_64.rpmLinux
Rubygem-bson-doc update (ELSA-2021-2588) rubygem-bson-doc-4.5.0-1.module+el8.4.0+20235+1e5b8be3.noarch.rpmLinux
Rubygem-bundler update (ELSA-2021-2588) rubygem-bundler-1.17.2-107.module+el8.4.0+20235+1e5b8be3.noarch.rpmLinux
Rubygem-did_you_mean update (ELSA-2021-2588) rubygem-did_you_mean-1.3.0-107.module+el8.4.0+20235+1e5b8be3.noarch.rpmLinux
Rubygem-io-console update (ELSA-2021-2588) rubygem-io-console-0.4.7-107.module+el8.4.0+20235+1e5b8be3.i686.rpmLinux
Rubygem-io-console update (ELSA-2021-2588) rubygem-io-console-0.4.7-107.module+el8.4.0+20235+1e5b8be3.x86_64.rpmLinux
Rubygem-irb update (ELSA-2021-2588) rubygem-irb-1.0.0-107.module+el8.4.0+20235+1e5b8be3.noarch.rpmLinux
Rubygem-json update (ELSA-2021-2588) rubygem-json-2.1.0-107.module+el8.4.0+20235+1e5b8be3.i686.rpmLinux
Rubygem-json update (ELSA-2021-2588) rubygem-json-2.1.0-107.module+el8.4.0+20235+1e5b8be3.x86_64.rpmLinux
Rubygem-minitest update (ELSA-2021-2588) rubygem-minitest-5.11.3-107.module+el8.4.0+20235+1e5b8be3.noarch.rpmLinux
Rubygem-mongo update (ELSA-2021-2588) rubygem-mongo-2.8.0-1.module+el8.1.0+5406+ce01f9b9.noarch.rpmLinux
Rubygem-mongo-doc update (ELSA-2021-2588) rubygem-mongo-doc-2.8.0-1.module+el8.1.0+5406+ce01f9b9.noarch.rpmLinux
Rubygem-mysql2 update (ELSA-2021-2588) rubygem-mysql2-0.5.2-1.module+el8.4.0+20235+1e5b8be3.x86_64.rpmLinux
Rubygem-mysql2-doc update (ELSA-2021-2588) rubygem-mysql2-doc-0.5.2-1.module+el8.4.0+20235+1e5b8be3.noarch.rpmLinux
Rubygem-net-telnet update (ELSA-2021-2588) rubygem-net-telnet-0.2.0-107.module+el8.4.0+20235+1e5b8be3.noarch.rpmLinux
Rubygem-openssl update (ELSA-2021-2588) rubygem-openssl-2.1.2-107.module+el8.4.0+20235+1e5b8be3.i686.rpmLinux
Rubygem-openssl update (ELSA-2021-2588) rubygem-openssl-2.1.2-107.module+el8.4.0+20235+1e5b8be3.x86_64.rpmLinux
Rubygem-pg update (ELSA-2021-2588) rubygem-pg-1.1.4-1.module+el8.4.0+20235+1e5b8be3.x86_64.rpmLinux
Rubygem-pg-doc update (ELSA-2021-2588) rubygem-pg-doc-1.1.4-1.module+el8.4.0+20235+1e5b8be3.noarch.rpmLinux
Rubygem-power_assert update (ELSA-2021-2588) rubygem-power_assert-1.1.3-107.module+el8.4.0+20235+1e5b8be3.noarch.rpmLinux
Rubygem-psych update (ELSA-2021-2588) rubygem-psych-3.1.0-107.module+el8.4.0+20235+1e5b8be3.i686.rpmLinux
Rubygem-psych update (ELSA-2021-2588) rubygem-psych-3.1.0-107.module+el8.4.0+20235+1e5b8be3.x86_64.rpmLinux
Rubygem-rake update (ELSA-2021-2588) rubygem-rake-12.3.3-107.module+el8.4.0+20235+1e5b8be3.noarch.rpmLinux
Rubygem-rdoc update (ELSA-2021-2588) rubygem-rdoc-6.1.2-107.module+el8.4.0+20235+1e5b8be3.noarch.rpmLinux
Rubygem-test-unit update (ELSA-2021-2588) rubygem-test-unit-3.2.9-107.module+el8.4.0+20235+1e5b8be3.noarch.rpmLinux
Rubygem-xmlrpc update (ELSA-2021-2588) rubygem-xmlrpc-0.3.0-107.module+el8.4.0+20235+1e5b8be3.noarch.rpmLinux
Rubygems update (ELSA-2021-2588) rubygems-3.0.3.1-107.module+el8.4.0+20235+1e5b8be3.noarch.rpmLinux
Rubygems-devel update (ELSA-2021-2588) rubygems-devel-3.0.3.1-107.module+el8.4.0+20235+1e5b8be3.noarch.rpmLinux
(RHSA-2021:2588)Moderate: security, bug fix, and enhancement update ruby-debuginfo-2.6.7-107.module+el8.4.0+10830+bbd85cce.i686.rpmLinux
(RHSA-2021:2588)Moderate: security, bug fix, and enhancement update ruby-debuginfo-2.6.7-107.module+el8.4.0+10830+bbd85cce.x86_64.rpmLinux
(RHSA-2021:2588)Moderate: security, bug fix, and enhancement update ruby-libs-debuginfo-2.6.7-107.module+el8.4.0+10830+bbd85cce.i686.rpmLinux
(RHSA-2021:2588)Moderate: security, bug fix, and enhancement update ruby-libs-debuginfo-2.6.7-107.module+el8.4.0+10830+bbd85cce.x86_64.rpmLinux
(RHSA-2021:2588)Moderate: security, bug fix, and enhancement update rubygem-bigdecimal-debuginfo-1.4.1-107.module+el8.4.0+10830+bbd85cce.i686.rpmLinux
(RHSA-2021:2588)Moderate: security, bug fix, and enhancement update rubygem-bigdecimal-debuginfo-1.4.1-107.module+el8.4.0+10830+bbd85cce.x86_64.rpmLinux
(RHSA-2021:2588)Moderate: security, bug fix, and enhancement update rubygem-bson-debuginfo-4.5.0-1.module+el8.1.0+3653+beb38eb0.x86_64.rpmLinux
(RHSA-2021:2588)Moderate: security, bug fix, and enhancement update rubygem-io-console-debuginfo-0.4.7-107.module+el8.4.0+10830+bbd85cce.i686.rpmLinux
(RHSA-2021:2588)Moderate: security, bug fix, and enhancement update rubygem-io-console-debuginfo-0.4.7-107.module+el8.4.0+10830+bbd85cce.x86_64.rpmLinux
(RHSA-2021:2588)Moderate: security, bug fix, and enhancement update rubygem-json-debuginfo-2.1.0-107.module+el8.4.0+10830+bbd85cce.i686.rpmLinux
(RHSA-2021:2588)Moderate: security, bug fix, and enhancement update rubygem-json-debuginfo-2.1.0-107.module+el8.4.0+10830+bbd85cce.x86_64.rpmLinux
(RHSA-2021:2588)Moderate: security, bug fix, and enhancement update rubygem-mysql2-debuginfo-0.5.2-1.module+el8.1.0+3653+beb38eb0.x86_64.rpmLinux
(RHSA-2021:2588)Moderate: security, bug fix, and enhancement update rubygem-openssl-debuginfo-2.1.2-107.module+el8.4.0+10830+bbd85cce.i686.rpmLinux
(RHSA-2021:2588)Moderate: security, bug fix, and enhancement update rubygem-openssl-debuginfo-2.1.2-107.module+el8.4.0+10830+bbd85cce.x86_64.rpmLinux
(RHSA-2021:2588)Moderate: security, bug fix, and enhancement update rubygem-pg-debuginfo-1.1.4-1.module+el8.1.0+3653+beb38eb0.x86_64.rpmLinux
(RHSA-2021:2588)Moderate: security, bug fix, and enhancement update rubygem-psych-debuginfo-3.1.0-107.module+el8.4.0+10830+bbd85cce.i686.rpmLinux
(RHSA-2021:2588)Moderate: security, bug fix, and enhancement update rubygem-psych-debuginfo-3.1.0-107.module+el8.4.0+10830+bbd85cce.x86_64.rpmLinux
Moderate: ruby:2.6 security, bug fix, and enhancement update rubygem-abrt-0.3.0-4.module_el8.5.0+2623+08a8ba32.noarch.rpmLinux
Moderate: ruby:2.6 security, bug fix, and enhancement update rubygem-bson-4.5.0-1.module_el8.5.0+2623+08a8ba32.x86_64.rpmLinux
Moderate: ruby:2.6 security, bug fix, and enhancement update rubygem-bson-doc-4.5.0-1.module_el8.5.0+2623+08a8ba32.noarch.rpmLinux
Moderate: ruby:2.6 security, bug fix, and enhancement update rubygem-mongo-2.8.0-1.module_el8.5.0+2623+08a8ba32.noarch.rpmLinux
Moderate: ruby:2.6 security, bug fix, and enhancement update rubygem-mongo-doc-2.8.0-1.module_el8.5.0+2623+08a8ba32.noarch.rpmLinux
Moderate: ruby:2.6 security, bug fix, and enhancement update rubygem-mysql2-0.5.2-1.module_el8.5.0+2623+08a8ba32.x86_64.rpmLinux
Moderate: ruby:2.6 security, bug fix, and enhancement update rubygem-mysql2-doc-0.5.2-1.module_el8.5.0+2623+08a8ba32.noarch.rpmLinux
Moderate: ruby:2.6 security, bug fix, and enhancement update rubygem-pg-1.1.4-1.module_el8.5.0+2623+08a8ba32.x86_64.rpmLinux
Moderate: ruby:2.6 security, bug fix, and enhancement update rubygem-pg-doc-1.1.4-1.module_el8.5.0+2623+08a8ba32.noarch.rpmLinux
Vulnerabilities CVE-2019-3881 are fixed in Ruby-bundler for Linux 2.1.0Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234