{"url":"http://public2.vulnerablecode.io/api/packages/135912?format=json","purl":"pkg:gem/bundler@2.1.3","type":"gem","namespace":"","name":"bundler","version":"2.1.3","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.2.33","latest_non_vulnerable_version":"2.2.33","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/48728?format=json","vulnerability_id":"VCID-dy2a-n93k-yfgd","summary":"Dependency Confusion in Bundler\nBundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.17 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-36327.json","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-36327.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-36327","reference_id":"","reference_type":"","scores":[{"value":"0.24725","scoring_system":"epss","scoring_elements":"0.96157","published_at":"2026-04-21T12:55:00Z"},{"value":"0.24725","scoring_system":"epss","scoring_elements":"0.96106","published_at":"2026-04-01T12:55:00Z"},{"value":"0.24725","scoring_system":"epss","scoring_elements":"0.96113","published_at":"2026-04-02T12:55:00Z"},{"value":"0.24725","scoring_system":"epss","scoring_elements":"0.9612","published_at":"2026-04-04T12:55:00Z"},{"value":"0.24725","scoring_system":"epss","scoring_elements":"0.96125","published_at":"2026-04-07T12:55:00Z"},{"value":"0.24725","scoring_system":"epss","scoring_elements":"0.96135","published_at":"2026-04-08T12:55:00Z"},{"value":"0.24725","scoring_system":"epss","scoring_elements":"0.96139","published_at":"2026-04-09T12:55:00Z"},{"value":"0.24725","scoring_system":"epss","scoring_elements":"0.96142","published_at":"2026-04-12T12:55:00Z"},{"value":"0.24725","scoring_system":"epss","scoring_elements":"0.96143","published_at":"2026-04-13T12:55:00Z"},{"value":"0.24725","scoring_system":"epss","scoring_elements":"0.96156","published_at":"2026-04-18T12:55:00Z"},{"value":"0.24725","scoring_system":"epss","scoring_elements":"0.96152","published_at":"2026-04-16T12:55:00Z"},{"value":"0.25206","scoring_system":"epss","scoring_elements":"0.96204","published_at":"2026-04-24T12:55:00Z"},{"value":"0.25206","scoring_system":"epss","scoring_elements":"0.96218","published_at":"2026-05-05T12:55:00Z"},{"value":"0.25206","scoring_system":"epss","scoring_elements":"0.96206","published_at":"2026-04-29T12:55:00Z"},{"value":"0.25206","scoring_system":"epss","scoring_elements":"0.96205","published_at":"2026-04-26T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-36327"},{"reference_url":"https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36327","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36327"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rubygems/rubygems","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubygems/rubygems"},{"reference_url":"https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2218-may-25-2021","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2218-may-25-2021"},{"reference_url":"https://github.com/rubygems/rubygems/commit/078bf682ac40017b309b5fc69f283ff640e7c129","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubygems/rubygems/commit/078bf682ac40017b309b5fc69f283ff640e7c129"},{"reference_url":"https://github.com/rubygems/rubygems/issues/3982","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":""},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubygems/rubygems/issues/3982"},{"reference_url":"https://github.com/rubygems/rubygems/pull/4609","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubygems/rubygems/pull/4609"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bundler/CVE-2020-36327.yml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bundler/CVE-2020-36327.yml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL/"},{"reference_url":"https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things"},{"reference_url":"https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things/","reference_id":"","reference_type":"","scores":[],"url":"https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things/"},{"reference_url":"https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36327","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36327"},{"reference_url":"https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327"},{"reference_url":"https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327/","reference_id":"","reference_type":"","scores":[],"url":"https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327/"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1958999","reference_id":"1958999","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1958999"},{"reference_url":"https://security.archlinux.org/ASA-202106-14","reference_id":"ASA-202106-14","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202106-14"},{"reference_url":"https://security.archlinux.org/AVG-1891","reference_id":"AVG-1891","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1891"},{"reference_url":"https://github.com/advisories/GHSA-fp4w-jxhp-m23p","reference_id":"GHSA-fp4w-jxhp-m23p","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fp4w-jxhp-m23p"},{"reference_url":"https://security.gentoo.org/glsa/202408-22","reference_id":"GLSA-202408-22","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202408-22"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3020","reference_id":"RHSA-2021:3020","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3020"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3559","reference_id":"RHSA-2021:3559","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3559"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3982","reference_id":"RHSA-2021:3982","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3982"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0543","reference_id":"RHSA-2022:0543","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0543"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0544","reference_id":"RHSA-2022:0544","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0544"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0545","reference_id":"RHSA-2022:0545","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0545"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0546","reference_id":"RHSA-2022:0546","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0546"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0547","reference_id":"RHSA-2022:0547","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0547"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0548","reference_id":"RHSA-2022:0548","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0548"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0581","reference_id":"RHSA-2022:0581","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0581"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0582","reference_id":"RHSA-2022:0582","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0582"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0708","reference_id":"RHSA-2022:0708","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0708"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/77617?format=json","purl":"pkg:gem/bundler@2.2.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dy2a-n93k-yfgd"},{"vulnerability":"VCID-xbrw-47yv-wqcr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/bundler@2.2.10"},{"url":"http://public2.vulnerablecode.io/api/packages/135931?format=json","purl":"pkg:gem/bundler@2.2.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-xbrw-47yv-wqcr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/bundler@2.2.16"},{"url":"http://public2.vulnerablecode.io/api/packages/77621?format=json","purl":"pkg:gem/bundler@2.2.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-xbrw-47yv-wqcr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/bundler@2.2.18"}],"aliases":["CVE-2020-36327","GHSA-fp4w-jxhp-m23p"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dy2a-n93k-yfgd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11706?format=json","vulnerability_id":"VCID-xbrw-47yv-wqcr","summary":"Local Code Execution through Argument Injection via dash leading git url parameter in Gemfile.\nIn `bundler` versions before 2.2.33, when working with untrusted and apparently harmless `Gemfile`'s, it is not expected that they lead to execution of external code, unless that's explicit in the ruby code inside the `Gemfile` itself. However, if the `Gemfile` includes `gem` entries that use the `git` option with invalid, but seemingly harmless, values with a leading dash, this can be false.\n\nTo handle dependencies that come from a Git repository instead of a registry, Bundler uses various commands, such as `git clone`. These commands are being constructed using user input (e.g. the repository URL). When building the\ncommands, Bundler versions before 2.2.33 correctly avoid Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (`-`) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables.\n\nSince this value comes from the `Gemfile` file, it can contain any character, including a leading dash.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-43809.json","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-43809.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-43809","reference_id":"","reference_type":"","scores":[{"value":"0.01319","scoring_system":"epss","scoring_elements":"0.79899","published_at":"2026-04-21T12:55:00Z"},{"value":"0.01553","scoring_system":"epss","scoring_elements":"0.81502","published_at":"2026-04-29T12:55:00Z"},{"value":"0.01553","scoring_system":"epss","scoring_elements":"0.81497","published_at":"2026-04-26T12:55:00Z"},{"value":"0.01553","scoring_system":"epss","scoring_elements":"0.81393","published_at":"2026-04-07T12:55:00Z"},{"value":"0.01553","scoring_system":"epss","scoring_elements":"0.81521","published_at":"2026-05-05T12:55:00Z"},{"value":"0.01553","scoring_system":"epss","scoring_elements":"0.8149","published_at":"2026-04-24T12:55:00Z"},{"value":"0.01553","scoring_system":"epss","scoring_elements":"0.81467","published_at":"2026-04-18T12:55:00Z"},{"value":"0.01553","scoring_system":"epss","scoring_elements":"0.81466","published_at":"2026-04-16T12:55:00Z"},{"value":"0.01553","scoring_system":"epss","scoring_elements":"0.81429","published_at":"2026-04-13T12:55:00Z"},{"value":"0.01553","scoring_system":"epss","scoring_elements":"0.81436","published_at":"2026-04-12T12:55:00Z"},{"value":"0.01553","scoring_system":"epss","scoring_elements":"0.81448","published_at":"2026-04-11T12:55:00Z"},{"value":"0.01553","scoring_system":"epss","scoring_elements":"0.81363","published_at":"2026-04-01T12:55:00Z"},{"value":"0.01553","scoring_system":"epss","scoring_elements":"0.81427","published_at":"2026-04-09T12:55:00Z"},{"value":"0.01553","scoring_system":"epss","scoring_elements":"0.81372","published_at":"2026-04-02T12:55:00Z"},{"value":"0.01553","scoring_system":"epss","scoring_elements":"0.81394","published_at":"2026-04-04T12:55:00Z"},{"value":"0.01553","scoring_system":"epss","scoring_elements":"0.81421","published_at":"2026-04-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-43809"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43809","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43809"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rubygems/rubygems","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubygems/rubygems"},{"reference_url":"https://github.com/rubygems/rubygems/commit/0fad1ccfe9dd7a3c5b82c1496df3c2b4842870d3","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubygems/rubygems/commit/0fad1ccfe9dd7a3c5b82c1496df3c2b4842870d3"},{"reference_url":"https://github.com/rubygems/rubygems/commit/a4f2f8ac17e6ce81c689527a8b6f14381060d95f","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubygems/rubygems/commit/a4f2f8ac17e6ce81c689527a8b6f14381060d95f"},{"reference_url":"https://github.com/rubygems/rubygems/pull/5142","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubygems/rubygems/pull/5142"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00015.html","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00015.html"},{"reference_url":"https://www.sonarsource.com/blog/securing-developer-tools-package-managers","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.sonarsource.com/blog/securing-developer-tools-package-managers"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2035260","reference_id":"2035260","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2035260"},{"reference_url":"https://security.archlinux.org/AVG-2615","reference_id":"AVG-2615","reference_type":"","scores":[{"value":"Low","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2615"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43809","reference_id":"CVE-2021-43809","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43809"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bundler/CVE-2021-43809.yml","reference_id":"CVE-2021-43809.YML","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bundler/CVE-2021-43809.yml"},{"reference_url":"https://github.com/advisories/GHSA-fj7f-vq84-fh43","reference_id":"GHSA-fj7f-vq84-fh43","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fj7f-vq84-fh43"},{"reference_url":"https://github.com/rubygems/rubygems/security/advisories/GHSA-fj7f-vq84-fh43","reference_id":"GHSA-fj7f-vq84-fh43","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3","scoring_elements":""},{"value":"6.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubygems/rubygems/security/advisories/GHSA-fj7f-vq84-fh43"},{"reference_url":"https://security.gentoo.org/glsa/202408-22","reference_id":"GLSA-202408-22","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202408-22"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:7539","reference_id":"RHSA-2025:7539","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:7539"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/42016?format=json","purl":"pkg:gem/bundler@2.2.33","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/bundler@2.2.33"}],"aliases":["CVE-2021-43809","GHSA-fj7f-vq84-fh43"],"risk_score":3.3,"exploitability":"0.5","weighted_severity":"6.6","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xbrw-47yv-wqcr"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/bundler@2.1.3"}