Crafted directory containing a `Gemfile` file that declares a dependency that is located in a Git repository can lead to Arbitrary Code Execution, which could potentially lead to the takeover of the system. However, the exploitability is very low, because it requires a lot of user interaction.
Created rubygem-bundler tracking bugs for this issue:
Affects: fedora-all [bug 2035261]
Just for your information. Here is a upstream ticket about this CVE.
Ruby 2.6.9, bundler 1.17.2 and CVE-2021-43809
@Marian it seems you have linked wrong commit. The correct reference (also referenced in Bundler changelog ) should be .