CVE-2020-36327 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2020-36327 Interim 1 46 2023-09-06T23:53:23Z current 2021-05-30T14:46:13Z 2023-09-06T23:53:23Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2020-36327 Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Linux Enterprise High Availability Extension 11 SP4 SUSE Linux Enterprise High Availability Extension 12 SP3 SUSE Linux Enterprise High Availability Extension 12 SP4 SUSE Linux Enterprise High Availability Extension 12 SP5 SUSE Linux Enterprise Server for SAP All-in-One 11 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE OpenStack Cloud 7 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud Crowbar 9 ruby2.1-rubygem-bundler rubygem-bundler rubygem-bundler as a component of SUSE Linux Enterprise High Availability Extension 11 SP4 ruby2.1-rubygem-bundler as a component of SUSE Linux Enterprise High Availability Extension 12 SP3 rubygem-bundler as a component of SUSE Linux Enterprise High Availability Extension 12 SP3 ruby2.1-rubygem-bundler as a component of SUSE Linux Enterprise High Availability Extension 12 SP4 rubygem-bundler as a component of SUSE Linux Enterprise High Availability Extension 12 SP4 ruby2.1-rubygem-bundler as a component of SUSE Linux Enterprise High Availability Extension 12 SP5 rubygem-bundler as a component of SUSE Linux Enterprise High Availability Extension 12 SP5 rubygem-bundler as a component of SUSE Linux Enterprise Server for SAP All-in-One 11 SP4 rubygem-bundler as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP3 rubygem-bundler as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 rubygem-bundler as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 ruby2.1-rubygem-bundler as a component of SUSE OpenStack Cloud 7 rubygem-bundler as a component of SUSE OpenStack Cloud 7 ruby2.1-rubygem-bundler as a component of SUSE OpenStack Cloud Crowbar 8 rubygem-bundler as a component of SUSE OpenStack Cloud Crowbar 8 ruby2.1-rubygem-bundler as a component of SUSE OpenStack Cloud Crowbar 9 rubygem-bundler as a component of SUSE OpenStack Cloud Crowbar 9 Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product. CVE-2020-36327 SUSE Linux Enterprise High Availability Extension 11 SP4:rubygem-bundler SUSE Linux Enterprise High Availability Extension 12 SP3:ruby2.1-rubygem-bundler SUSE Linux Enterprise High Availability Extension 12 SP3:rubygem-bundler SUSE Linux Enterprise High Availability Extension 12 SP4:ruby2.1-rubygem-bundler SUSE Linux Enterprise High Availability Extension 12 SP4:rubygem-bundler SUSE Linux Enterprise High Availability Extension 12 SP5:ruby2.1-rubygem-bundler SUSE Linux Enterprise High Availability Extension 12 SP5:rubygem-bundler SUSE Linux Enterprise Server for SAP All-in-One 11 SP4:rubygem-bundler SUSE Linux Enterprise Server for SAP Applications 12 SP3:rubygem-bundler SUSE Linux Enterprise Server for SAP Applications 12 SP4:rubygem-bundler SUSE Linux Enterprise Server for SAP Applications 12 SP5:rubygem-bundler SUSE OpenStack Cloud 7:ruby2.1-rubygem-bundler SUSE OpenStack Cloud 7:rubygem-bundler SUSE OpenStack Cloud Crowbar 8:ruby2.1-rubygem-bundler SUSE OpenStack Cloud Crowbar 8:rubygem-bundler SUSE OpenStack Cloud Crowbar 9:ruby2.1-rubygem-bundler SUSE OpenStack Cloud Crowbar 9:rubygem-bundler important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H