VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-qrmf-7afx-6yd8

Essentials
Severities (28)
References (26)
Severity details (13)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-qrmf-7afx-6yd8
Aliases	CVE-2013-0334 GHSA-49jx-9cmc-xjxm OSV-110004
Summary	Remote code execution Any Gemfile with multiple top-level `source` lines cannot reliably control the gem server that a particular gem is fetched from. As a result, Bundler might install the wrong gem if more than one source provides a gem with the same name. This is especially possible in the case of Github's legacy gem server, hosted at gems.github.com. An attacker might create a malicious gem on Rubygems.org with the same name as a commonly-used Github gem. From that point forward, running `bundle install` might result in the malicious gem being used instead of the expected gem.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-20	Improper Input Validation
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-345	Insufficient Verification of Data Authenticity

System	Score	Found at
generic_textual	MODERATE	http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html
generic_textual	MODERATE	http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140609.html
generic_textual	MODERATE	http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140654.html
generic_textual	MODERATE	http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140655.html
generic_textual	MODERATE	http://lists.opensuse.org/opensuse-updates/2015-03/msg00092.html
epss	0.00498	https://api.first.org/data/v1/epss?cve=CVE-2013-0334
epss	0.00498	https://api.first.org/data/v1/epss?cve=CVE-2013-0334
epss	0.00498	https://api.first.org/data/v1/epss?cve=CVE-2013-0334
epss	0.00498	https://api.first.org/data/v1/epss?cve=CVE-2013-0334
epss	0.00498	https://api.first.org/data/v1/epss?cve=CVE-2013-0334
epss	0.00498	https://api.first.org/data/v1/epss?cve=CVE-2013-0334
epss	0.00498	https://api.first.org/data/v1/epss?cve=CVE-2013-0334
epss	0.00498	https://api.first.org/data/v1/epss?cve=CVE-2013-0334
epss	0.00498	https://api.first.org/data/v1/epss?cve=CVE-2013-0334
epss	0.00498	https://api.first.org/data/v1/epss?cve=CVE-2013-0334
epss	0.00498	https://api.first.org/data/v1/epss?cve=CVE-2013-0334
epss	0.00498	https://api.first.org/data/v1/epss?cve=CVE-2013-0334
epss	0.00498	https://api.first.org/data/v1/epss?cve=CVE-2013-0334
epss	0.00498	https://api.first.org/data/v1/epss?cve=CVE-2013-0334
epss	0.00498	https://api.first.org/data/v1/epss?cve=CVE-2013-0334
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-49jx-9cmc-xjxm
generic_textual	MODERATE	https://github.com/rubygems/bundler
generic_textual	MODERATE	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bundler/CVE-2013-0334.yml
cvssv2	5.0	https://nvd.nist.gov/vuln/detail/CVE-2013-0334
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2013-0334
generic_textual	MODERATE	https://security.gentoo.org/glsa/201609-02
generic_textual	MODERATE	https://web.archive.org/web/20210122060358/https://www.securityfocus.com/bid/70099
generic_textual	MODERATE	http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html

Reference id	Reference type	URL
		http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html
		http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140609.html
		http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140654.html
		http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140655.html
		http://lists.opensuse.org/opensuse-updates/2015-03/msg00092.html
		http://osvdb.org/show/osvdb/110004
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-0334.json
		https://api.first.org/data/v1/epss?cve=CVE-2013-0334
		https://github.com/rubygems/bundler
		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bundler/CVE-2013-0334.yml
		https://groups.google.com/forum/#!topic/ruby-security-ann/Rms5sZhLxdo
		https://nvd.nist.gov/vuln/detail/CVE-2013-0334
		https://web.archive.org/web/20210122060358/https://www.securityfocus.com/bid/70099
		https://web.archive.org/web/20210122060358/https://www.securityfocus.com/bid/70099/
		http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
		http://www.securityfocus.com/bid/70099
1146335		https://bugzilla.redhat.com/show_bug.cgi?id=1146335
cpe:2.3:a:bundler:bundler::::::ruby::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:bundler:bundler::::::ruby::*
cpe:2.3:o:fedoraproject:fedora:19:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:19:::::::*
cpe:2.3:o:fedoraproject:fedora:20:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:20:::::::*
cpe:2.3:o:fedoraproject:fedora:21:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:21:::::::*
cpe:2.3:o:opensuse:opensuse:13.1:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:opensuse:13.1:::::::*
cpe:2.3:o:opensuse:opensuse:13.2:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:opensuse:13.2:::::::*
GHSA-49jx-9cmc-xjxm		https://github.com/advisories/GHSA-49jx-9cmc-xjxm
GLSA-201609-02		https://security.gentoo.org/glsa/201609-02
RHSA-2015:2180		https://access.redhat.com/errata/RHSA-2015:2180

No exploits are available.

Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2013-0334

Exploitability (E)	Access Vector (AV)	Access Complexity (AC)	Authentication (Au)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
high functional unproven proof_of_concept not_defined	local adjacent_network network	high medium low	multiple single none	none partial complete	none partial complete	none partial complete

Exploitability (E)

Access Vector (AV)

Access Complexity (AC)

Authentication (Au)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

partial

complete

none

partial

complete

none

partial

complete

Exploit Prediction Scoring System (EPSS)

Percentile	0.65789
EPSS Score	0.00498
Published At	April 1, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:46:54.650256+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/bundler/CVE-2013-0334.yml	38.0.0