Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:gem/bundler@1.17.3
Typegem
Namespace
Namebundler
Version1.17.3
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.2.33
Latest_non_vulnerable_version2.2.33
Affected_by_vulnerabilities
0
url VCID-3vzg-f63c-yfe8
vulnerability_id VCID-3vzg-f63c-yfe8
summary 
Bundler allows attacker to inject arbitrary code via secondary Gem source
Bundler 1.x might allow remote attackers to inject arbitrary Ruby code into an application by leveraging a gem name collision on a secondary source.  NOTE: this might overlap CVE-2013-0334.
references
0
reference_url http://collectiveidea.com/blog/archives/2016/10/06/bundlers-multiple-source-security-vulnerability
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://collectiveidea.com/blog/archives/2016/10/06/bundlers-multiple-source-security-vulnerability
1
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-7954.json
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-7954.json
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2016-7954
reference_id
reference_type
scores
0
value 0.02779
scoring_system epss
scoring_elements 0.86006
published_at 2026-04-02T12:55:00Z
1
value 0.02779
scoring_system epss
scoring_elements 0.86074
published_at 2026-04-21T12:55:00Z
2
value 0.02779
scoring_system epss
scoring_elements 0.86081
published_at 2026-04-18T12:55:00Z
3
value 0.02779
scoring_system epss
scoring_elements 0.86076
published_at 2026-04-16T12:55:00Z
4
value 0.02779
scoring_system epss
scoring_elements 0.86059
published_at 2026-04-13T12:55:00Z
5
value 0.02779
scoring_system epss
scoring_elements 0.86063
published_at 2026-04-12T12:55:00Z
6
value 0.02779
scoring_system epss
scoring_elements 0.86065
published_at 2026-04-11T12:55:00Z
7
value 0.02779
scoring_system epss
scoring_elements 0.86051
published_at 2026-04-09T12:55:00Z
8
value 0.02779
scoring_system epss
scoring_elements 0.86042
published_at 2026-04-08T12:55:00Z
9
value 0.02779
scoring_system epss
scoring_elements 0.86023
published_at 2026-04-07T12:55:00Z
10
value 0.02779
scoring_system epss
scoring_elements 0.85995
published_at 2026-04-01T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2016-7954
3
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1381951
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://bugzilla.redhat.com/show_bug.cgi?id=1381951
4
reference_url https://collectiveidea.com/blog/archives/2016/10/06/bundlers-multiple-source-security-vulnerability
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3
scoring_elements
1
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://collectiveidea.com/blog/archives/2016/10/06/bundlers-multiple-source-security-vulnerability
5
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.6
scoring_system cvssv2
scoring_elements AV:N/AC:H/Au:N/C:C/I:C/A:C
1
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
6
reference_url https://github.com/bundler/bundler/issues/5051
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/bundler/bundler/issues/5051
7
reference_url https://github.com/bundler/bundler/issues/5062
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/bundler/bundler/issues/5062
8
reference_url https://github.com/rubygems/bundler
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rubygems/bundler
9
reference_url https://web.archive.org/web/20170214030311/http://www.securityfocus.com/bid/93423
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20170214030311/http://www.securityfocus.com/bid/93423
10
reference_url http://www.openwall.com/lists/oss-security/2016/10/04/5
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2016/10/04/5
11
reference_url http://www.openwall.com/lists/oss-security/2016/10/04/7
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2016/10/04/7
12
reference_url http://www.openwall.com/lists/oss-security/2016/10/05/3
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2016/10/05/3
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2016-7954
reference_id CVE-2016-7954
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2016-7954
14
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bundler/CVE-2016-7954.yml
reference_id CVE-2016-7954.YML
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bundler/CVE-2016-7954.yml
15
reference_url https://github.com/advisories/GHSA-jvgm-pfqv-887x
reference_id GHSA-jvgm-pfqv-887x
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jvgm-pfqv-887x
fixed_packages
0
url pkg:gem/bundler@2.0.0
purl pkg:gem/bundler@2.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-dy2a-n93k-yfgd
1
vulnerability VCID-vsps-vp65-p3cw
2
vulnerability VCID-xbrw-47yv-wqcr
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/bundler@2.0.0
aliases CVE-2016-7954, GHSA-jvgm-pfqv-887x
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3vzg-f63c-yfe8
1
url VCID-dy2a-n93k-yfgd
vulnerability_id VCID-dy2a-n93k-yfgd
summary 
Dependency Confusion in Bundler
Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.17 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-36327.json
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-36327.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-36327
reference_id
reference_type
scores
0
value 0.24725
scoring_system epss
scoring_elements 0.96157
published_at 2026-04-21T12:55:00Z
1
value 0.24725
scoring_system epss
scoring_elements 0.96135
published_at 2026-04-08T12:55:00Z
2
value 0.24725
scoring_system epss
scoring_elements 0.96156
published_at 2026-04-18T12:55:00Z
3
value 0.24725
scoring_system epss
scoring_elements 0.96152
published_at 2026-04-16T12:55:00Z
4
value 0.24725
scoring_system epss
scoring_elements 0.96143
published_at 2026-04-13T12:55:00Z
5
value 0.24725
scoring_system epss
scoring_elements 0.96142
published_at 2026-04-12T12:55:00Z
6
value 0.24725
scoring_system epss
scoring_elements 0.96106
published_at 2026-04-01T12:55:00Z
7
value 0.24725
scoring_system epss
scoring_elements 0.96139
published_at 2026-04-09T12:55:00Z
8
value 0.24725
scoring_system epss
scoring_elements 0.96113
published_at 2026-04-02T12:55:00Z
9
value 0.24725
scoring_system epss
scoring_elements 0.9612
published_at 2026-04-04T12:55:00Z
10
value 0.24725
scoring_system epss
scoring_elements 0.96125
published_at 2026-04-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-36327
2
reference_url https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36327
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36327
4
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
5
reference_url https://github.com/rubygems/rubygems
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubygems/rubygems
6
reference_url https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2218-may-25-2021
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2218-may-25-2021
7
reference_url https://github.com/rubygems/rubygems/commit/078bf682ac40017b309b5fc69f283ff640e7c129
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubygems/rubygems/commit/078bf682ac40017b309b5fc69f283ff640e7c129
8
reference_url https://github.com/rubygems/rubygems/issues/3982
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3
scoring_elements
1
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubygems/rubygems/issues/3982
9
reference_url https://github.com/rubygems/rubygems/pull/4609
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubygems/rubygems/pull/4609
10
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bundler/CVE-2020-36327.yml
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bundler/CVE-2020-36327.yml
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL/
13
reference_url https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things
14
reference_url https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things/
reference_id
reference_type
scores
url https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things/
15
reference_url https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105
16
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-36327
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-36327
17
reference_url https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327
18
reference_url https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327/
reference_id
reference_type
scores
url https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327/
19
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1958999
reference_id 1958999
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1958999
20
reference_url https://security.archlinux.org/ASA-202106-14
reference_id ASA-202106-14
reference_type
scores
url https://security.archlinux.org/ASA-202106-14
21
reference_url https://security.archlinux.org/AVG-1891
reference_id AVG-1891
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-1891
22
reference_url https://github.com/advisories/GHSA-fp4w-jxhp-m23p
reference_id GHSA-fp4w-jxhp-m23p
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fp4w-jxhp-m23p
23
reference_url https://security.gentoo.org/glsa/202408-22
reference_id GLSA-202408-22
reference_type
scores
url https://security.gentoo.org/glsa/202408-22
24
reference_url https://access.redhat.com/errata/RHSA-2021:3020
reference_id RHSA-2021:3020
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:3020
25
reference_url https://access.redhat.com/errata/RHSA-2021:3559
reference_id RHSA-2021:3559
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:3559
26
reference_url https://access.redhat.com/errata/RHSA-2021:3982
reference_id RHSA-2021:3982
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:3982
27
reference_url https://access.redhat.com/errata/RHSA-2022:0543
reference_id RHSA-2022:0543
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0543
28
reference_url https://access.redhat.com/errata/RHSA-2022:0544
reference_id RHSA-2022:0544
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0544
29
reference_url https://access.redhat.com/errata/RHSA-2022:0545
reference_id RHSA-2022:0545
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0545
30
reference_url https://access.redhat.com/errata/RHSA-2022:0546
reference_id RHSA-2022:0546
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0546
31
reference_url https://access.redhat.com/errata/RHSA-2022:0547
reference_id RHSA-2022:0547
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0547
32
reference_url https://access.redhat.com/errata/RHSA-2022:0548
reference_id RHSA-2022:0548
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0548
33
reference_url https://access.redhat.com/errata/RHSA-2022:0581
reference_id RHSA-2022:0581
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0581
34
reference_url https://access.redhat.com/errata/RHSA-2022:0582
reference_id RHSA-2022:0582
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0582
35
reference_url https://access.redhat.com/errata/RHSA-2022:0708
reference_id RHSA-2022:0708
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0708
fixed_packages
0
url pkg:gem/bundler@2.2.10
purl pkg:gem/bundler@2.2.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-dy2a-n93k-yfgd
1
vulnerability VCID-xbrw-47yv-wqcr
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/bundler@2.2.10
1
url pkg:gem/bundler@2.2.16
purl pkg:gem/bundler@2.2.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-xbrw-47yv-wqcr
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/bundler@2.2.16
2
url pkg:gem/bundler@2.2.18
purl pkg:gem/bundler@2.2.18
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-xbrw-47yv-wqcr
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/bundler@2.2.18
aliases CVE-2020-36327, GHSA-fp4w-jxhp-m23p
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dy2a-n93k-yfgd
2
url VCID-vsps-vp65-p3cw
vulnerability_id VCID-vsps-vp65-p3cw
summary 
Insecure path handling in Bundler
Bundler prior to 2.1.0 uses a predictable path in `/tmp/`, created with insecure permissions as a storage location for gems, if locations under the user's home directory are not available. If Bundler is used in a scenario where the user does not have a writable home directory, an attacker could place malicious code in this directory that would be later loaded and executed.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-3881.json
reference_id
reference_type
scores
0
value 6.7
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-3881.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-3881
reference_id
reference_type
scores
0
value 0.00151
scoring_system epss
scoring_elements 0.35701
published_at 2026-04-21T12:55:00Z
1
value 0.00151
scoring_system epss
scoring_elements 0.3575
published_at 2026-04-18T12:55:00Z
2
value 0.00151
scoring_system epss
scoring_elements 0.35761
published_at 2026-04-16T12:55:00Z
3
value 0.00151
scoring_system epss
scoring_elements 0.3572
published_at 2026-04-13T12:55:00Z
4
value 0.00151
scoring_system epss
scoring_elements 0.35743
published_at 2026-04-12T12:55:00Z
5
value 0.00151
scoring_system epss
scoring_elements 0.35655
published_at 2026-04-01T12:55:00Z
6
value 0.00151
scoring_system epss
scoring_elements 0.3571
published_at 2026-04-07T12:55:00Z
7
value 0.00151
scoring_system epss
scoring_elements 0.3588
published_at 2026-04-04T12:55:00Z
8
value 0.00151
scoring_system epss
scoring_elements 0.35853
published_at 2026-04-02T12:55:00Z
9
value 0.00151
scoring_system epss
scoring_elements 0.35788
published_at 2026-04-11T12:55:00Z
10
value 0.00151
scoring_system epss
scoring_elements 0.35779
published_at 2026-04-09T12:55:00Z
11
value 0.00151
scoring_system epss
scoring_elements 0.35756
published_at 2026-04-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-3881
2
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1651826
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://bugzilla.redhat.com/show_bug.cgi?id=1651826
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.7
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/advisories/GHSA-g98m-96g9-wfjq
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv3
scoring_elements
1
value 7.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-g98m-96g9-wfjq
5
reference_url https://github.com/rubygems/bundler
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubygems/bundler
6
reference_url https://github.com/rubygems/bundler/issues/6501
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubygems/bundler/issues/6501
7
reference_url https://github.com/rubygems/bundler/pull/7416/commits/65cfebb041c454c246aaf32a177b0243915a9998
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubygems/bundler/pull/7416/commits/65cfebb041c454c246aaf32a177b0243915a9998
8
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bundler/CVE-2019-3881.yml
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bundler/CVE-2019-3881.yml
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-3881
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-3881
10
reference_url https://security.gentoo.org/glsa/202408-22
reference_id GLSA-202408-22
reference_type
scores
url https://security.gentoo.org/glsa/202408-22
11
reference_url https://access.redhat.com/errata/RHSA-2021:2230
reference_id RHSA-2021:2230
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2230
12
reference_url https://access.redhat.com/errata/RHSA-2021:2588
reference_id RHSA-2021:2588
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2588
13
reference_url https://usn.ubuntu.com/USN-4870-1/
reference_id USN-USN-4870-1
reference_type
scores
url https://usn.ubuntu.com/USN-4870-1/
fixed_packages
0
url pkg:gem/bundler@2.1.0
purl pkg:gem/bundler@2.1.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-dy2a-n93k-yfgd
1
vulnerability VCID-xbrw-47yv-wqcr
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/bundler@2.1.0
aliases CVE-2019-3881, GHSA-g98m-96g9-wfjq
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vsps-vp65-p3cw
3
url VCID-xbrw-47yv-wqcr
vulnerability_id VCID-xbrw-47yv-wqcr
summary 
Local Code Execution through Argument Injection via dash leading git url parameter in Gemfile.
In `bundler` versions before 2.2.33, when working with untrusted and apparently harmless `Gemfile`'s, it is not expected that they lead to execution of external code, unless that's explicit in the ruby code inside the `Gemfile` itself. However, if the `Gemfile` includes `gem` entries that use the `git` option with invalid, but seemingly harmless, values with a leading dash, this can be false.

To handle dependencies that come from a Git repository instead of a registry, Bundler uses various commands, such as `git clone`. These commands are being constructed using user input (e.g. the repository URL). When building the
commands, Bundler versions before 2.2.33 correctly avoid Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (`-`) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables.

Since this value comes from the `Gemfile` file, it can contain any character, including a leading dash.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-43809.json
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-43809.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-43809
reference_id
reference_type
scores
0
value 0.01319
scoring_system epss
scoring_elements 0.79899
published_at 2026-04-21T12:55:00Z
1
value 0.01553
scoring_system epss
scoring_elements 0.81372
published_at 2026-04-02T12:55:00Z
2
value 0.01553
scoring_system epss
scoring_elements 0.81467
published_at 2026-04-18T12:55:00Z
3
value 0.01553
scoring_system epss
scoring_elements 0.81466
published_at 2026-04-16T12:55:00Z
4
value 0.01553
scoring_system epss
scoring_elements 0.81429
published_at 2026-04-13T12:55:00Z
5
value 0.01553
scoring_system epss
scoring_elements 0.81436
published_at 2026-04-12T12:55:00Z
6
value 0.01553
scoring_system epss
scoring_elements 0.81448
published_at 2026-04-11T12:55:00Z
7
value 0.01553
scoring_system epss
scoring_elements 0.81427
published_at 2026-04-09T12:55:00Z
8
value 0.01553
scoring_system epss
scoring_elements 0.81421
published_at 2026-04-08T12:55:00Z
9
value 0.01553
scoring_system epss
scoring_elements 0.81393
published_at 2026-04-07T12:55:00Z
10
value 0.01553
scoring_system epss
scoring_elements 0.81394
published_at 2026-04-04T12:55:00Z
11
value 0.01553
scoring_system epss
scoring_elements 0.81363
published_at 2026-04-01T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-43809
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43809
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43809
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rubygems/rubygems
reference_id
reference_type
scores
0
value 6.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubygems/rubygems
5
reference_url https://github.com/rubygems/rubygems/commit/0fad1ccfe9dd7a3c5b82c1496df3c2b4842870d3
reference_id
reference_type
scores
0
value 6.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubygems/rubygems/commit/0fad1ccfe9dd7a3c5b82c1496df3c2b4842870d3
6
reference_url https://github.com/rubygems/rubygems/commit/a4f2f8ac17e6ce81c689527a8b6f14381060d95f
reference_id
reference_type
scores
0
value 6.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubygems/rubygems/commit/a4f2f8ac17e6ce81c689527a8b6f14381060d95f
7
reference_url https://github.com/rubygems/rubygems/pull/5142
reference_id
reference_type
scores
0
value 6.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubygems/rubygems/pull/5142
8
reference_url https://lists.debian.org/debian-lts-announce/2025/05/msg00015.html
reference_id
reference_type
scores
0
value 6.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/05/msg00015.html
9
reference_url https://www.sonarsource.com/blog/securing-developer-tools-package-managers
reference_id
reference_type
scores
0
value 6.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.sonarsource.com/blog/securing-developer-tools-package-managers
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2035260
reference_id 2035260
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2035260
11
reference_url https://security.archlinux.org/AVG-2615
reference_id AVG-2615
reference_type
scores
0
value Low
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-2615
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-43809
reference_id CVE-2021-43809
reference_type
scores
0
value 6.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-43809
13
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bundler/CVE-2021-43809.yml
reference_id CVE-2021-43809.YML
reference_type
scores
0
value 6.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bundler/CVE-2021-43809.yml
14
reference_url https://github.com/advisories/GHSA-fj7f-vq84-fh43
reference_id GHSA-fj7f-vq84-fh43
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fj7f-vq84-fh43
15
reference_url https://github.com/rubygems/rubygems/security/advisories/GHSA-fj7f-vq84-fh43
reference_id GHSA-fj7f-vq84-fh43
reference_type
scores
0
value 6.7
scoring_system cvssv3
scoring_elements
1
value 6.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubygems/rubygems/security/advisories/GHSA-fj7f-vq84-fh43
16
reference_url https://security.gentoo.org/glsa/202408-22
reference_id GLSA-202408-22
reference_type
scores
url https://security.gentoo.org/glsa/202408-22
17
reference_url https://access.redhat.com/errata/RHSA-2025:7539
reference_id RHSA-2025:7539
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:7539
fixed_packages
0
url pkg:gem/bundler@2.2.33
purl pkg:gem/bundler@2.2.33
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/bundler@2.2.33
aliases CVE-2021-43809, GHSA-fj7f-vq84-fh43
risk_score 3.3
exploitability 0.5
weighted_severity 6.6
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xbrw-47yv-wqcr
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:gem/bundler@1.17.3