Crafted directory containing a `Gemfile` file that declares a dependency that is located in a Git repository can lead to Arbitrary Code Execution, which could potentially lead to the takeover of the system. However, the exploitability is very low, because it requires a lot of user interaction. Upstream Advisory: https://github.com/rubygems/rubygems/commit/a4f2f8ac17e6ce81c689527a8b6f14381060d95f https://github.com/rubygems/rubygems/security/advisories/GHSA-fj7f-vq84-fh43
Created rubygem-bundler tracking bugs for this issue: Affects: fedora-all [bug 2035261]
Just for your information. Here is a upstream ticket about this CVE. Ruby 2.6.9, bundler 1.17.2 and CVE-2021-43809 https://bugs.ruby-lang.org/issues/18431
@Marian it seems you have linked wrong commit. The correct reference (also referenced in Bundler changelog [2]) should be [1]. [1]: https://github.com/rubygems/rubygems/pull/5142 [2]: https://github.com/rubygems/rubygems/commit/0fad1ccfe9dd7a3c5b82c1496df3c2b4842870d3
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2025:7539 https://access.redhat.com/errata/RHSA-2025:7539