Security News > 2022 > May > Critical Gems Takeover Bug Reported in RubyGems Package Manager
The maintainers of the RubyGems package manager have addressed a critical security flaw that could have been abused to remove gems and replace them with rogue versions under specific circumstances.
"Due to a bug in the yank action, it was possible for any RubyGems.org user to remove and replace certain gems even if that user was not authorized to do so," RubyGems said in a security advisory published on May 6, 2022.
RubyGems, like npm for JavaScript and pip for Python, is a package manager and a gem hosting service for the Ruby programming language, offering a repository of more than 171,500 libraries.
In a nutshell, the flaw in question, tracked as CVE-2022-29176, enabled anyone to pull certain gems and upload different files with the same name, same version number, and different platforms.
The gem 'something-provider' could have been taken over by the owner of the gem 'something,'" the project owners explained.
The project maintainers said that there is no evidence that the vulnerability has been exploited in the wild, adding it didn't receive any support emails from gem owners alerting them to the removal of the libraries without authorization.
News URL
https://thehackernews.com/2022/05/critical-gems-takeover-bug-reported-in.html
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-05-05 | CVE-2022-29176 | Missing Authorization vulnerability in Rubygems Rubygems.Org Rubygems is a package registry used to supply software for the Ruby language ecosystem. | 7.5 |