Security News > 2022 > May > Check your gems: RubyGems fixes unauthorized package takeover bug

Check your gems: RubyGems fixes unauthorized package takeover bug
2022-05-08 20:59

An initial audit from RubyGems reveals that the vulnerability has not been exploited within the last 18 months to alter any gems, but a deeper audit is still in progress with results yet to be announced.

This week, RubyGems announced that a critical bug could've enabled any RubyGems.org user to yank versions of a gem that they didn't have authorization for, and replace the gem's contents with newer files.

The RubyGems.org registry is the community's gem hosting service allowing developers to instantly publish or install gems and use a set of specialized APIs.

The gem something-provider could have been taken over by the owner of the gem something," explains RubyGems.

"Organizations with many gems were not vulnerable as long as they owned the gem with the name before the dash, for example owning the gem orgname protected all gems with names like orgname-provider."

Seeing your gemname-3.1.2 gem renamed to gemname-3.1.2-java is one possible sign of the package having been exploited.


News URL

https://www.bleepingcomputer.com/news/security/check-your-gems-rubygems-fixes-unauthorized-package-takeover-bug/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Rubygems 2 0 3 16 4 23