CVE-2020-36327: Dependency Confusion

April 29, 2021 (updated July 30, 2021)

Bundler sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application.

References

bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html
msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105
nvd.nist.gov/vuln/detail/CVE-2020-36327

Code Behaviors & Features

Detect and mitigate CVE-2020-36327 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →