CVE-2013-0334: Remote code execution

October 31, 2014 (updated July 16, 2019)

Any Gemfile with multiple top-level source lines cannot reliably control the gem server that a particular gem is fetched from. As a result, Bundler might install the wrong gem if more than one source provides a gem with the same name. This is especially possible in the case of Github’s legacy gem server, hosted at gems.github.com. An attacker might create a malicious gem on Rubygems.org with the same name as a commonly-used Github gem. From that point forward, running bundle install might result in the malicious gem being used instead of the expected gem.

References

osvdb.org/show/osvdb/110004
groups.google.com/forum/

Detect and mitigate CVE-2013-0334 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →