Debian 11: DLA-4163-1 critical: rubygems code execution risks
debian lts
May 12, 2025
Multiple vulnerabilities were found in rubygems, which contains a package management framework for Ruby and a dependency manager for Ruby applications
Topics Covered
Summary
CVE-2021-43809
In bundler versions before 2.2.33, when working with untrusted and
apparently harmless `Gemfile`'s, it is not expected that they lead to
execution of external code, unless that's explicit in the ruby code inside
the `Gemfile` itself. However, if the `Gemfile` includes `gem` entries that
use the `git` option with invalid, but seemingly harmless, values with a
leading dash, this can be false. To handle dependencies that come from a
Git repository instead of a registry, Bundler uses various commands, such
as `git clone`. These commands are being constructed using user input
(e.g. the repository URL). When building the commands, Bundler versions
before 2.2.33 correctly avoid Command Injection vulnerabilities by passing
an array of arguments instead of a command string. However, there is the
possibility that a user input starts with a dash (`-`) and is therefore
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: rubygems
Version: 3.2.5-2+deb11u1
CVE ID: CVE-2021-43809 CVE-2023-28755 CVE-2025-27221
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!