{"id":"CVE-2019-3881","details":"Bundler prior to 2.1.0 uses a predictable path in /tmp/, created with insecure permissions as a storage location for gems, if locations under the user's home directory are not available. If Bundler is used in a scenario where the user does not have a writable home directory, an attacker could place malicious code in this directory that would be later loaded and executed.","aliases":["GHSA-g98m-96g9-wfjq"],"modified":"2026-04-09T06:43:52.008857Z","published":"2020-09-04T12:15:10.387Z","related":["ALSA-2021:2588","SUSE-SU-2020:1582-1","SUSE-SU-2020:1582-2","openSUSE-SU-2020:0803-1","openSUSE-SU-2020:0861-1"],"references":[{"type":"FIX","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1651826"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/bundler/bundler","events":[{"introduced":"0"},{"fixed":"683fe9799e37bff81e53f1a7e97d3a19896b8fc9"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.1.0"}]}}],"versions":["0.9.10","0.9.11","0.9.3","0.9.4","0.9.5","0.9.6","0.9.7","0.9.8","0.9.9","1.0.0","1.0.0.beta.1","1.0.0.beta.10","1.0.0.beta.2","1.0.0.beta.3","1.0.0.beta.4","1.0.0.beta.5","1.0.0.beta.6","1.0.0.beta.7","1.0.0.beta.8","1.0.0.beta.9","1.0.0.rc.1","1.0.0.rc.2","1.0.0.rc.3","1.0.0.rc.4","1.0.0.rc.5","1.0.0.rc.6","v0.9.0.pre3","v0.9.0.pre4","v0.9.0.pre5","v1.0.0","v1.0.1","v1.1.pre","v1.1.pre.1","v1.1.pre.10","v1.1.pre.2","v1.1.pre.3","v1.1.pre.4","v1.1.pre.5","v1.1.pre.6","v1.1.pre.7","v1.1.pre.8","v1.1.pre.9","v1.1.rc","v1.1.rc.2","v1.1.rc.3","v1.1.rc.4","v1.1.rc.5","v1.10.0.pre","v1.10.0.pre.1","v1.10.0.pre.2","v1.2.0.pre","v1.2.0.pre.1","v1.2.0.rc","v1.2.0.rc.2","v1.3.0","v1.3.0.pre","v1.3.0.pre.2","v1.3.0.pre.3","v1.3.0.pre.4","v1.3.0.pre.5","v1.3.0.pre.6","v1.3.0.pre.7","v1.3.0.pre.8","v1.3.1","v1.3.2","v1.4.0.pre.1","v1.4.0.pre.2","v1.4.0.rc.1","v1.5.0.rc.1","v1.6.0","v1.6.0.pre.1","v1.6.0.pre.2","v1.6.0.rc","v1.6.0.rc2","v1.6.1","v1.8.0.pre","v1.9.0.pre","v1.9.0.pre.1","v1.9.0.rc","v2.1.0.pre.1","v2.1.0.pre.2","v2.1.0.pre.3"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-3881.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}