Security News > 2022 > May > Critical Gems Takeover Bug Reported in RubyGems Package Manager

Critical Gems Takeover Bug Reported in RubyGems Package Manager
2022-05-10 19:45

The maintainers of the RubyGems package manager have addressed a critical security flaw that could have been abused to remove gems and replace them with rogue versions under specific circumstances.

"Due to a bug in the yank action, it was possible for any RubyGems.org user to remove and replace certain gems even if that user was not authorized to do so," RubyGems said in a security advisory published on May 6, 2022.

RubyGems, like npm for JavaScript and pip for Python, is a package manager and a gem hosting service for the Ruby programming language, offering a repository of more than 171,500 libraries.

In a nutshell, the flaw in question, tracked as CVE-2022-29176, enabled anyone to pull certain gems and upload different files with the same name, same version number, and different platforms.

The gem 'something-provider' could have been taken over by the owner of the gem 'something,'" the project owners explained.

The project maintainers said that there is no evidence that the vulnerability has been exploited in the wild, adding it didn't receive any support emails from gem owners alerting them to the removal of the libraries without authorization.


News URL

https://thehackernews.com/2022/05/critical-gems-takeover-bug-reported-in.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-05-05 CVE-2022-29176 Unspecified vulnerability in Rubygems Rubygems.Org
Rubygems is a package registry used to supply software for the Ruby language ecosystem.
network
high complexity
rubygems
7.5

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Rubygems 2 0 3 16 4 23