CVE-2019-3881
Published: 4 September 2020
Bundler prior to 2.1.0 uses a predictable path in /tmp/, created with insecure permissions as a storage location for gems, if locations under the user's home directory are not available. If Bundler is used in a scenario where the user does not have a writable home directory, an attacker could place malicious code in this directory that would be later loaded and executed.
From the Ubuntu Security Team
It was discovered that Bundler incorrectly created directories with insecure permissions in /tmp. An attacker could write malicious libraries to this location for later execution.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
bundler Launchpad, Ubuntu, Debian |
bionic |
Released
(1.16.1-1ubuntu0.1~esm1)
Available with Ubuntu Pro |
| disco |
Not vulnerable
(1.16.1-2)
|
|
| eoan |
Not vulnerable
(1.16.1-2)
|
|
| focal |
Not vulnerable
(1.16.1-2)
|
|
| groovy |
Not vulnerable
(1.16.1-2)
|
|
| hirsute |
Not vulnerable
(1.16.1-2)
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(1.16.1-2)
|
|
| xenial |
Not vulnerable
(code not present)
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.8 |
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
References
- https://salsa.debian.org/ruby-team/bundler/blob/debian/1.16.1-2/debian/patches/0006-Don-t-use-insecure-temporary-directory-as-home-direc.patch
- https://salsa.debian.org/ruby-team/bundler/blob/debian/1.16.1-2/debian/patches/0007-Remove-temporary-home-directories.patch
- https://ubuntu.com/security/notices/USN-4870-1
- https://www.cve.org/CVERecord?id=CVE-2019-3881
- NVD
- Launchpad
- Debian