CVE-2016-7954 in bundler

in #utopian-io9 years ago (edited)

Bundler 1.x might allow remote attackers to inject arbitrary Ruby code into an application by leveraging a gem name collision on a secondary source. NOTE: this might overlap CVE-2013-0334.



Posted on Utopian.io - Rewarding Open Source Contributors

Meaning: UTOPIAN.IO IS CURRENTLY WIDE OPEN TO THIS ATTACK VECTOR

Reproduce: I'd really rather you didn't.

Patch: Yeah, kind of demanding that.

Edit: There, happy?

Sort:  

Congratulations @caseyjparker! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

Award for the number of posts published
You published 4 posts in one day

Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

By upvoting this notification, you can help all Steemit users. Learn how here!

Notifications have been disabled. Sorry if I bothered you.
To reactivate notifications, drop me a comment with the word NOTIFY

Hi @caseyjparker we cannot approve this contribution. the bug should be well explain and have a way to reproduce. also it should have the info of the devices you use the version or any similar information.

You can contact us on Discord.
[utopian-moderator]

Are you bloody mad? It's a security risk. You want it reproduced - are you asking me to attack utopian.io just to prove to you that it's an attack vector? If you really want that, Fine, but that'll cost money. You're a moderator so I have no idea if you're a dev ... but it's pretty much a betrayal to ignore this sort of security hole. Did I somehow classify this wrongly, like as a bug? Because fine, reclassify it. Or be petty and ignore it - I don't really care in the end.

If anyone else wants to "fix" this issue, feel free. I'm not going to argue with whatever this mod thinks he is.

Coin Marketplace

STEEM 0.04
TRX 0.33
JST 0.095
BTC 62095.48
ETH 1737.24
USDT 1.00
SBD 0.39