Search for vulnerabilities
Vulnerability details: VCID-6t9d-2n3y-nbgv
Vulnerability ID VCID-6t9d-2n3y-nbgv
Aliases CVE-2020-36327
GHSA-fp4w-jxhp-m23p
Summary insufficient validation
Status Published
Exploitability 0.5
Weighted Severity 8.4
Risk 4.2
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-494 Download of Code Without Integrity Check
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 8.8 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-36327.json
epss 0.12083 https://api.first.org/data/v1/epss?cve=CVE-2020-36327
epss 0.12083 https://api.first.org/data/v1/epss?cve=CVE-2020-36327
epss 0.12083 https://api.first.org/data/v1/epss?cve=CVE-2020-36327
epss 0.12083 https://api.first.org/data/v1/epss?cve=CVE-2020-36327
epss 0.12083 https://api.first.org/data/v1/epss?cve=CVE-2020-36327
epss 0.12083 https://api.first.org/data/v1/epss?cve=CVE-2020-36327
epss 0.12083 https://api.first.org/data/v1/epss?cve=CVE-2020-36327
epss 0.12083 https://api.first.org/data/v1/epss?cve=CVE-2020-36327
epss 0.12083 https://api.first.org/data/v1/epss?cve=CVE-2020-36327
cvssv3.1 8.8 https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html
generic_textual HIGH https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html
cvssv3.1 8.8 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-fp4w-jxhp-m23p
cvssv3.1 8.8 https://github.com/rubygems/rubygems
generic_textual HIGH https://github.com/rubygems/rubygems
cvssv3.1 8.8 https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2218-may-25-2021
generic_textual HIGH https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2218-may-25-2021
cvssv3.1 8.8 https://github.com/rubygems/rubygems/commit/078bf682ac40017b309b5fc69f283ff640e7c129
generic_textual HIGH https://github.com/rubygems/rubygems/commit/078bf682ac40017b309b5fc69f283ff640e7c129
cvssv3 8.8 https://github.com/rubygems/rubygems/issues/3982
cvssv3.1 8.8 https://github.com/rubygems/rubygems/issues/3982
generic_textual HIGH https://github.com/rubygems/rubygems/issues/3982
cvssv3.1 8.8 https://github.com/rubygems/rubygems/pull/4609
generic_textual HIGH https://github.com/rubygems/rubygems/pull/4609
cvssv3.1 8.8 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bundler/CVE-2020-36327.yml
generic_textual HIGH https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bundler/CVE-2020-36327.yml
cvssv3.1 8.8 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL
generic_textual HIGH https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL
cvssv3.1 8.8 https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things
generic_textual HIGH https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things
cvssv3.1 8.8 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105
generic_textual HIGH https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105
cvssv2 9.3 https://nvd.nist.gov/vuln/detail/CVE-2020-36327
cvssv3.1 8.8 https://nvd.nist.gov/vuln/detail/CVE-2020-36327
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2020-36327
archlinux Medium https://security.archlinux.org/AVG-1891
cvssv3.1 8.8 https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327
generic_textual HIGH https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-36327.json
https://api.first.org/data/v1/epss?cve=CVE-2020-36327
https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36327
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/rubygems/rubygems
https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2218-may-25-2021
https://github.com/rubygems/rubygems/commit/078bf682ac40017b309b5fc69f283ff640e7c129
https://github.com/rubygems/rubygems/issues/3982
https://github.com/rubygems/rubygems/pull/4609
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bundler/CVE-2020-36327.yml
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL/
https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things
https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things/
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105
https://nvd.nist.gov/vuln/detail/CVE-2020-36327
https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327
https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327/
1958999 https://bugzilla.redhat.com/show_bug.cgi?id=1958999
ASA-202106-14 https://security.archlinux.org/ASA-202106-14
AVG-1891 https://security.archlinux.org/AVG-1891
cpe:2.3:a:bundler:bundler:*:*:*:*:*:ruby:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:bundler:bundler:*:*:*:*:*:ruby:*:*
cpe:2.3:a:microsoft:package_manager_configurations:-:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:microsoft:package_manager_configurations:-:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
GHSA-fp4w-jxhp-m23p https://github.com/advisories/GHSA-fp4w-jxhp-m23p
RHSA-2021:3020 https://access.redhat.com/errata/RHSA-2021:3020
RHSA-2021:3559 https://access.redhat.com/errata/RHSA-2021:3559
RHSA-2021:3982 https://access.redhat.com/errata/RHSA-2021:3982
RHSA-2022:0543 https://access.redhat.com/errata/RHSA-2022:0543
RHSA-2022:0544 https://access.redhat.com/errata/RHSA-2022:0544
RHSA-2022:0545 https://access.redhat.com/errata/RHSA-2022:0545
RHSA-2022:0546 https://access.redhat.com/errata/RHSA-2022:0546
RHSA-2022:0547 https://access.redhat.com/errata/RHSA-2022:0547
RHSA-2022:0548 https://access.redhat.com/errata/RHSA-2022:0548
RHSA-2022:0581 https://access.redhat.com/errata/RHSA-2022:0581
RHSA-2022:0582 https://access.redhat.com/errata/RHSA-2022:0582
RHSA-2022:0708 https://access.redhat.com/errata/RHSA-2022:0708
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-36327.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/rubygems/rubygems
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2218-may-25-2021
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/rubygems/rubygems/commit/078bf682ac40017b309b5fc69f283ff640e7c129
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/rubygems/rubygems/issues/3982
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/rubygems/rubygems/pull/4609
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bundler/CVE-2020-36327.yml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://mensfeld.pl/2021/02/rubygems-dependency-confusion-attack-side-of-things
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24105
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C Found at https://nvd.nist.gov/vuln/detail/CVE-2020-36327
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2020-36327
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.93452
EPSS Score 0.12083
Published At June 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-01T11:54:25.895736+00:00 Arch Linux Importer Import https://security.archlinux.org/AVG-1891 36.1.3