VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-b8s1-g8qy-yud5

Essentials
Severities (22)
References (19)
Severity details (12)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-b8s1-g8qy-yud5
Aliases	CVE-2013-0334 GHSA-49jx-9cmc-xjxm OSV-110004
Summary	Bundler may install gems from a different source than expected Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-20	Improper Input Validation
CWE-345	Insufficient Verification of Data Authenticity
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
generic_textual	MODERATE	http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html
generic_textual	MODERATE	http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140609.html
generic_textual	MODERATE	http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140654.html
generic_textual	MODERATE	http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140655.html
generic_textual	MODERATE	http://lists.opensuse.org/opensuse-updates/2015-03/msg00092.html
epss	0.00498	https://api.first.org/data/v1/epss?cve=CVE-2013-0334
epss	0.00498	https://api.first.org/data/v1/epss?cve=CVE-2013-0334
epss	0.00498	https://api.first.org/data/v1/epss?cve=CVE-2013-0334
epss	0.00498	https://api.first.org/data/v1/epss?cve=CVE-2013-0334
epss	0.00498	https://api.first.org/data/v1/epss?cve=CVE-2013-0334
epss	0.00498	https://api.first.org/data/v1/epss?cve=CVE-2013-0334
epss	0.00498	https://api.first.org/data/v1/epss?cve=CVE-2013-0334
epss	0.00498	https://api.first.org/data/v1/epss?cve=CVE-2013-0334
epss	0.00498	https://api.first.org/data/v1/epss?cve=CVE-2013-0334
epss	0.00498	https://api.first.org/data/v1/epss?cve=CVE-2013-0334
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-49jx-9cmc-xjxm
generic_textual	MODERATE	https://github.com/rubygems/bundler
generic_textual	MODERATE	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bundler/CVE-2013-0334.yml
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2013-0334
generic_textual	MODERATE	https://security.gentoo.org/glsa/201609-02
generic_textual	MODERATE	https://web.archive.org/web/20210122060358/https://www.securityfocus.com/bid/70099
generic_textual	MODERATE	http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html

Reference id	Reference type	URL
		http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html
		http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140609.html
		http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140654.html
		http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140655.html
		http://lists.opensuse.org/opensuse-updates/2015-03/msg00092.html
		http://osvdb.org/show/osvdb/110004
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-0334.json
		https://api.first.org/data/v1/epss?cve=CVE-2013-0334
		https://github.com/rubygems/bundler
		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bundler/CVE-2013-0334.yml
		https://groups.google.com/forum/#!topic/ruby-security-ann/Rms5sZhLxdo
		https://nvd.nist.gov/vuln/detail/CVE-2013-0334
		https://security.gentoo.org/glsa/201609-02
		https://web.archive.org/web/20210122060358/https://www.securityfocus.com/bid/70099
		https://web.archive.org/web/20210122060358/https://www.securityfocus.com/bid/70099/
		http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
1146335		https://bugzilla.redhat.com/show_bug.cgi?id=1146335
GHSA-49jx-9cmc-xjxm		https://github.com/advisories/GHSA-49jx-9cmc-xjxm
RHSA-2015:2180		https://access.redhat.com/errata/RHSA-2015:2180

No exploits are available.

Exploit Prediction Scoring System (EPSS)

Percentile	0.64823
EPSS Score	0.00498
Published At	June 30, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-01T12:30:15.320122+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-49jx-9cmc-xjxm/GHSA-49jx-9cmc-xjxm.json	36.1.3