`Bundler` is a package for managing application dependencies in Ruby. In `bundler` versions before 2.2.33, when working with untrusted and apparently harmless `Gemfile`'s, it is not expected that they lead to execution of external code, unless that's explicit in the ruby code inside the `Gemfile` itself. However, if the `Gemfile` includes `gem` entries that use the `git` option with invalid, but seemingly harmless, values with a leading dash, this can be false. To handle dependencies that come from a Git repository instead of a registry, Bundler uses various commands, such as `git clone`. These commands are being constructed using user input (e.g. the repository URL). When building the commands, Bundler versions before 2.2.33 correctly avoid Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (`-`) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables. Since this value comes from the `Gemfile` file, it can contain any character, including a leading dash. To exploit this vulnerability, an attacker has to craft a directory containing a `Gemfile` file that declares a dependency that is located in a Git repository. This dependency has to have a Git URL in the form of `-u./payload`. This URL will be used to construct a Git clone command but will be interpreted as the upload-pack argument. Then this directory needs to be shared with the victim, who then needs to run a command that evaluates the Gemfile, such as `bundle lock`, inside. This vulnerability can lead to Arbitrary Code Execution, which could potentially lead to the takeover of the system. However, the exploitability is very low, because it requires a lot of user interaction. Bundler 2.2.33 has patched this problem by inserting `--` as an argument before any positional arguments to those Git commands that were affected by this issue. Regardless of whether users can upgrade or not, they should review any untrustred `Gemfile`'s before running any `bundler` commands that may read them, since they can contain arbitrary ruby code.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2025-7539 advisory.

    - Fix integer overflow in search_in_range function in regexec.c (CVE-2019-19012).
      Resolves: RHEL-87505

    rubygem-abrt     rubygem-bson     rubygem-bundler

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4163 advisory.

    - -------------------------------------------------------------------------     Debian LTS Advisory DLA-4163-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                      Lucas Kanashiro     May 12, 2025                                  https://wiki.debian.org/LTS
    - -------------------------------------------------------------------------

    Package        : rubygems     Version        : 3.2.5-2+deb11u1     CVE ID         : CVE-2021-43809 CVE-2023-28755 CVE-2025-27221

    Multiple vulnerabilities were found in rubygems, which contains a package     management framework for Ruby and a dependency manager for Ruby applications.

    CVE-2021-43809

        In bundler versions before 2.2.33, when working with untrusted and         apparently harmless `Gemfile`'s, it is not expected that they lead to         execution of external code, unless that's explicit in the ruby code inside         the `Gemfile` itself. However, if the `Gemfile` includes `gem` entries that         use the `git` option with invalid, but seemingly harmless, values with a         leading dash, this can be false. To handle dependencies that come from a         Git repository instead of a registry, Bundler uses various commands, such         as `git clone`.  These commands are being constructed using user input         (e.g.  the repository URL). When building the commands, Bundler versions         before 2.2.33 correctly avoid Command Injection vulnerabilities by passing         an array of arguments instead of a command string.  However, there is the         possibility that a user input starts with a dash (`-`) and is therefore         treated as an optional argument instead of a positional one.  This can lead         to Code Execution because some of the commands have options that can be         leveraged to run arbitrary executables.

    CVE-2023-28755

        A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby         through 3.2.1. The URI parser mishandles invalid URLs that have specific         characters. It causes an increase in execution time for parsing strings to         URI objects.

    CVE-2025-27221

        The URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent         leakage of authentication credentials because userinfo is retained even         after changing the host.

    For Debian 11 bullseye, these problems have been fixed in version     3.2.5-2+deb11u1.

    We recommend that you upgrade your rubygems packages.

    For the detailed security status of rubygems please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/rubygems

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2025:7539 advisory.

    Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text     files and to perform system management tasks.

    Security Fix(es):

    * oniguruma: integer overflow in search_in_range function in regexec.c leads to out-of-bounds read     (CVE-2019-19012)

    * rubygem-bundler: unexpected code execution in Gemfiles (CVE-2021-43809)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - `Bundler` is a package for managing application dependencies in Ruby. In `bundler` versions before 2.2.33,     when working with untrusted and apparently harmless `Gemfile`'s, it is not expected that they lead to     execution of external code, unless that's explicit in the ruby code inside the `Gemfile` itself. However,     if the `Gemfile` includes `gem` entries that use the `git` option with invalid, but seemingly harmless,     values with a leading dash, this can be false. To handle dependencies that come from a Git repository     instead of a registry, Bundler uses various commands, such as `git clone`. These commands are being     constructed using user input (e.g. the repository URL). When building the commands, Bundler versions     before 2.2.33 correctly avoid Command Injection vulnerabilities by passing an array of arguments instead     of a command string. However, there is the possibility that a user input starts with a dash (`-`) and is     therefore treated as an optional argument instead of a positional one. This can lead to Code Execution     because some of the commands have options that can be leveraged to run arbitrary executables. Since this     value comes from the `Gemfile` file, it can contain any character, including a leading dash. To exploit     this vulnerability, an attacker has to craft a directory containing a `Gemfile` file that declares a     dependency that is located in a Git repository. This dependency has to have a Git URL in the form of     `-u./payload`. This URL will be used to construct a Git clone command but will be interpreted as the     upload-pack argument. Then this directory needs to be shared with the victim, who then needs to run a     command that evaluates the Gemfile, such as `bundle lock`, inside. This vulnerability can lead to     Arbitrary Code Execution, which could potentially lead to the takeover of the system. However, the     exploitability is very low, because it requires a lot of user interaction. Bundler 2.2.33 has patched this     problem by inserting `--` as an argument before any positional arguments to those Git commands that were     affected by this issue. Regardless of whether users can upgrade or not, they should review any untrustred     `Gemfile`'s before running any `bundler` commands that may read them, since they can contain arbitrary     ruby code. (CVE-2021-43809)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:3873-1 advisory.

    - CVE-2021-43809: Fixed remote execution via Gemfile argument injection (bsc#1193578)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202408-22 (Bundler: Multiple Vulnerabilities)

    Multiple vulnerabilities have been discovered in Bundler. Please review the CVE identifiers referenced     below for details.

Tenable has extracted the preceding description block directly from the Gentoo Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update of the rubygem package has been released.

ID	Name	Product	Family	Severity
236947	Oracle Linux 8 : ruby:2.5 (ELSA-2025-7539)	Nessus	Oracle Linux Local Security Checks	critical
236773	Debian dla-4163 : bundler - security update	Nessus	Debian Local Security Checks	low
235934	RHEL 8 : ruby:2.5 (RHSA-2025:7539)	Nessus	Red Hat Local Security Checks	critical
224238	Linux Distros Unpatched Vulnerability : CVE-2021-43809	Nessus	Misc.	high
210115	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : rubygem-bundler (SUSE-SU-2024:3873-1)	Nessus	SuSE Local Security Checks	high
205347	GLSA-202408-22 : Bundler: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	high
203168	Photon OS 4.0: Rubygem PHSA-2021-4.0-0139	Nessus	PhotonOS Local Security Checks	high

Detections

Analytics

CVE-2021-43809

high

Tenable Plugins

critical

low

critical

high

high

high

high