Security News > 2022 > May > RubyGems supply chain rip-and-replace bug fixed – check your logs!
The bug, dubbed CVE-2022-29176, could have allowed attackers to remove a package that wasn't theirs, and then to replace it with modified version of their own.
The RubyGems security bulletin notes that package owners receive an automatic email notification whenever a package of theirs is yanked or published, yet no support tickets were ever received to report peculiar and unexpected changes of this sort.
What package are you working on? You supply the left-hand end of the package name: slithy.
What package would you like to yank? You supply the rest of package name, known at the "Slug", namely: tove.
As the RubyGems team advises, you can check for rogue changes in your own packages by checking your Gemfile.
Any package that you've never left alone for more than 100 days without pushing out an update can apparently be assumed safe, along with any new package created less than 30 days before bug was fixed [2022-05-05]. As a programmer, make sure, whenever you're testing that user X is allowed to perform action Y, that you aren't accidentally testing for a less restrictive permission instead. As as example, if you want to answer the question, "Is user X allowed to list the filenames in directory Y?", it's not enough to check that they're allowed to enumerate files in some higher-level directory Z, and from there to assume the permission percolates downwards automatically.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-05-05 | CVE-2022-29176 | Missing Authorization vulnerability in Rubygems Rubygems.Org Rubygems is a package registry used to supply software for the Ruby language ecosystem. | 7.5 |