CVE-2022-29176

Name of the Vulnerable Software and Affected Versions RubyGems.org (affected versions not specified)

Description The issue is related to a bug in the yank action of RubyGems.org, allowing any user to remove and replace certain gems without authorization. A gem is vulnerable if it has one or more dashes in its name and was created within 30 days, or if it has not been updated for over 100 days. There is no evidence that this issue has been exploited. RubyGems.org sends emails to gem owners when a gem version is published or yanked, and no support emails have been received indicating unauthorized yanking. An audit of gem changes did not find any examples of malicious use. Using Bundler in --frozen or --deployment mode can guarantee that an application does not silently switch to versions created using this exploit.

Recommendations To audit your application history for possible past exploits, review your Gemfile.lock and look for gems whose platform changed when the version number did not change. Using Bundler in --frozen or --deployment mode in CI and during deploys will guarantee that your application does not silently switch to versions created using this exploit. As a temporary workaround, consider monitoring your gem updates closely until the issue is fully resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability, but RubyGems.org has been patched and is no longer vulnerable to this issue as of the 5th of May 2022.