PT-2022-19470 · Rubygems · Rubygems
Published
2022-05-12
·
Updated
2022-12-02
·
CVE-2022-29218
CVSS v3.1
7.7
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
RubyGems (affected versions not specified)
Description
An ordering mistake in the code that accepts gem uploads allowed some gems to be temporarily replaced in the CDN cache by a malicious package. The issue is believed to have never been exploited, based on an extensive review of logs and existing gems. The easiest way to ensure that an application has not been exploited is to verify all downloaded .gems checksums match the checksum recorded in the RubyGems.org database.
Recommendations
To resolve the issue, verify all downloaded .gems checksums match the checksum recorded in the RubyGems.org database.
As a temporary workaround, consider verifying the integrity of all gems used in the application to minimize the risk of exploitation.
Exploit
Fix
Incorrect Authorization
Authentication Bypass by Spoofing
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Rubygems