{"url":"http://public2.vulnerablecode.io/api/packages/516593?format=json","purl":"pkg:apk/alpine/ruby-bundler@2.2.33-r0?arch=armhf&distroversion=v3.15&reponame=main","type":"apk","namespace":"alpine","name":"ruby-bundler","version":"2.2.33-r0","qualifiers":{"arch":"armhf","distroversion":"v3.15","reponame":"main"},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11706?format=json","vulnerability_id":"VCID-xbrw-47yv-wqcr","summary":"Local Code Execution through Argument Injection via dash leading git url parameter in Gemfile.\nIn `bundler` versions before 2.2.33, when working with untrusted and apparently harmless `Gemfile`'s, it is not expected that they lead to execution of external code, unless that's explicit in the ruby code inside the `Gemfile` itself. However, if the `Gemfile` includes `gem` entries that use the `git` option with invalid, but seemingly harmless, values with a leading dash, this can be false.\n\nTo handle dependencies that come from a Git repository instead of a registry, Bundler uses various commands, such as `git clone`. These commands are being constructed using user input (e.g. the repository URL). When building the\ncommands, Bundler versions before 2.2.33 correctly avoid Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (`-`) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables.\n\nSince this value comes from the `Gemfile` file, it can contain any character, including a leading dash.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-43809.json","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-43809.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-43809","reference_id":"","reference_type":"","scores":[{"value":"0.01319","scoring_system":"epss","scoring_elements":"0.79899","published_at":"2026-04-21T12:55:00Z"},{"value":"0.01553","scoring_system":"epss","scoring_elements":"0.81521","published_at":"2026-05-05T12:55:00Z"},{"value":"0.01553","scoring_system":"epss","scoring_elements":"0.81502","published_at":"2026-04-29T12:55:00Z"},{"value":"0.01553","scoring_system":"epss","scoring_elements":"0.81497","published_at":"2026-04-26T12:55:00Z"},{"value":"0.01553","scoring_system":"epss","scoring_elements":"0.81394","published_at":"2026-04-04T12:55:00Z"},{"value":"0.01553","scoring_system":"epss","scoring_elements":"0.8154","published_at":"2026-05-07T12:55:00Z"},{"value":"0.01553","scoring_system":"epss","scoring_elements":"0.81466","published_at":"2026-04-16T12:55:00Z"},{"value":"0.01553","scoring_system":"epss","scoring_elements":"0.81429","published_at":"2026-04-13T12:55:00Z"},{"value":"0.01553","scoring_system":"epss","scoring_elements":"0.81436","published_at":"2026-04-12T12:55:00Z"},{"value":"0.01553","scoring_system":"epss","scoring_elements":"0.81448","published_at":"2026-04-11T12:55:00Z"},{"value":"0.01553","scoring_system":"epss","scoring_elements":"0.81427","published_at":"2026-04-09T12:55:00Z"},{"value":"0.01553","scoring_system":"epss","scoring_elements":"0.81363","published_at":"2026-04-01T12:55:00Z"},{"value":"0.01553","scoring_system":"epss","scoring_elements":"0.81421","published_at":"2026-04-08T12:55:00Z"},{"value":"0.01553","scoring_system":"epss","scoring_elements":"0.81372","published_at":"2026-04-02T12:55:00Z"},{"value":"0.01553","scoring_system":"epss","scoring_elements":"0.81393","published_at":"2026-04-07T12:55:00Z"},{"value":"0.01553","scoring_system":"epss","scoring_elements":"0.8149","published_at":"2026-04-24T12:55:00Z"},{"value":"0.01553","scoring_system":"epss","scoring_elements":"0.81467","published_at":"2026-04-18T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-43809"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43809","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43809"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rubygems/rubygems","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubygems/rubygems"},{"reference_url":"https://github.com/rubygems/rubygems/commit/0fad1ccfe9dd7a3c5b82c1496df3c2b4842870d3","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubygems/rubygems/commit/0fad1ccfe9dd7a3c5b82c1496df3c2b4842870d3"},{"reference_url":"https://github.com/rubygems/rubygems/commit/a4f2f8ac17e6ce81c689527a8b6f14381060d95f","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubygems/rubygems/commit/a4f2f8ac17e6ce81c689527a8b6f14381060d95f"},{"reference_url":"https://github.com/rubygems/rubygems/pull/5142","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubygems/rubygems/pull/5142"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00015.html","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00015.html"},{"reference_url":"https://www.sonarsource.com/blog/securing-developer-tools-package-managers","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.sonarsource.com/blog/securing-developer-tools-package-managers"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2035260","reference_id":"2035260","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2035260"},{"reference_url":"https://security.archlinux.org/AVG-2615","reference_id":"AVG-2615","reference_type":"","scores":[{"value":"Low","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2615"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43809","reference_id":"CVE-2021-43809","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43809"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bundler/CVE-2021-43809.yml","reference_id":"CVE-2021-43809.YML","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bundler/CVE-2021-43809.yml"},{"reference_url":"https://github.com/advisories/GHSA-fj7f-vq84-fh43","reference_id":"GHSA-fj7f-vq84-fh43","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fj7f-vq84-fh43"},{"reference_url":"https://github.com/rubygems/rubygems/security/advisories/GHSA-fj7f-vq84-fh43","reference_id":"GHSA-fj7f-vq84-fh43","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3","scoring_elements":""},{"value":"6.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubygems/rubygems/security/advisories/GHSA-fj7f-vq84-fh43"},{"reference_url":"https://security.gentoo.org/glsa/202408-22","reference_id":"GLSA-202408-22","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202408-22"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:7539","reference_id":"RHSA-2025:7539","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:7539"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/516593?format=json","purl":"pkg:apk/alpine/ruby-bundler@2.2.33-r0?arch=armhf&distroversion=v3.15&reponame=main","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/ruby-bundler@2.2.33-r0%3Farch=armhf&distroversion=v3.15&reponame=main"}],"aliases":["CVE-2021-43809","GHSA-fj7f-vq84-fh43"],"risk_score":3.3,"exploitability":"0.5","weighted_severity":"6.6","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xbrw-47yv-wqcr"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/ruby-bundler@2.2.33-r0%3Farch=armhf&distroversion=v3.15&reponame=main"}