Segiddins

**Name of the Vulnerable Software and Affected Versions** rubygems.org (affected versions not specified) **Description** The issue is related to insufficient input validation in rubygems.org, the Ruby community's primary gem hosting service. This allowed malicious actors to replace any uploaded gem version that had a platform, version number, or gem name matching `/-d/`, permanently replacing the legitimate upload in the canonical gem storage bucket and triggering an immediate CDN purge. The maintainers have checked all gems matching the `/-d/` pattern and can confirm that no unexpected `.gem`s were found, leading to the belief that this issue was not exploited. Users can verify the integrity of their downloaded gems by checking that the checksums match the ones recorded in the RubyGems.org database. **Recommendations** No action is required on the part of the user, as the issue has been patched with improved input validation and the changes are live. However, users are advised to validate their local gems. To assist in the investigation, users can run `bundle add bundler-integrity` followed by `bundle exec bundler-integrity` to compare RubyGems API-provided checksums with the checksums of files on their disk.

**Name of the Vulnerable Software and Affected Versions** RubyGems.org (affected versions not specified) **Description** A bug in the password and email change confirmation code allowed an attacker to change their RubyGems.org account's email to an unowned email address. This could enable the attacker to save API keys for that account. When a legitimate user attempts to create an account with their email and has to reset the password to gain access, the attacker could then be able to publish and yank versions of those gems. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RubyGems.org (affected versions not specified) **Description** The issue is related to a bug in the yank action of RubyGems.org, allowing any user to remove and replace certain gems without authorization. A gem is vulnerable if it has one or more dashes in its name and was created within 30 days, or if it has not been updated for over 100 days. There is no evidence that this issue has been exploited. RubyGems.org sends emails to gem owners when a gem version is published or yanked, and no support emails have been received indicating unauthorized yanking. An audit of gem changes did not find any examples of malicious use. Using Bundler in --frozen or --deployment mode can guarantee that an application does not silently switch to versions created using this exploit. **Recommendations** To audit your application history for possible past exploits, review your Gemfile.lock and look for gems whose platform changed when the version number did not change. Using Bundler in --frozen or --deployment mode in CI and during deploys will guarantee that your application does not silently switch to versions created using this exploit. As a temporary workaround, consider monitoring your gem updates closely until the issue is fully resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability, but RubyGems.org has been patched and is no longer vulnerable to this issue as of the 5th of May 2022.

**Name of the Vulnerable Software and Affected Versions** RubyGems versions 2.2.9 and earlier RubyGems versions 2.3.6 and earlier RubyGems versions 2.4.3 and earlier RubyGems versions 2.5.0 and earlier RubyGems prior to trunk revision 62422 **Description** The issue is related to a Directory Traversal vulnerability in gem installation, allowing a gem to write to arbitrary filesystem locations during installation. This can be exploited by installing a malicious gem. The vulnerability appears to be related to errors in restricting the path name to a directory with limited access. **Recommendations** For RubyGems versions 2.2.9 and earlier, update to a version newer than 2.7.6. For RubyGems versions 2.3.6 and earlier, update to a version newer than 2.7.6. For RubyGems versions 2.4.3 and earlier, update to a version newer than 2.7.6. For RubyGems versions 2.5.0 and earlier, update to a version newer than 2.7.6. For RubyGems prior to trunk revision 62422, update to a version newer than 2.7.6. As a temporary workaround, consider avoiding the installation of gems from untrusted sources until the issue is resolved.