RubyGems has addressed a critical vulnerability that could have allowed any RubyGems.org user to remove and replace certain Ruby gems.
A package hosting service for the Ruby programming language, RubyGems.org hosts more than 170,000 gems. RubyGems also functions as a package manager.
Tracked as CVE-2022-29176, the recently addressed vulnerability impacts the ‘yank’ action, and could be abused by any user on RubyGems.org to remove certain gems from the repository.
The unauthorized user could then replace the yanked gems with malicious ones having the same name, same version number, and different platform.
According to RubyGems’ maintainers, vulnerable packages were those with at least one dash in their names, where the word before the dash was the name of a gem controlled by the attacker, and which were created within 30 days or hadn’t been updated for more than 100 days.
“For example, the gem something-provider could have been taken over by the owner of the gem something. Organizations with many gems were not vulnerable as long as they owned the gem with the name before the dash, for example owning the gem orgname protected all gems with names like orgname-provider,” the maintainers explain.
RubyGems does not believe that the vulnerability has been exploited, given that all gem owners are notified when a gem version is published or removed, and no reports of unauthorized removal have been received.
“An audit of gem changes for the last 18 months did not find any examples of this vulnerability being used in a malicious way. A deeper audit for any possible use of this exploit is ongoing, and we will update this advisory once it is complete,” RubyGems says.
The issue was resolved with the addition of a check to verify that the user is authorized to access the gem when attempting to yank it, independent developer Greg Molnar says.
Although it hasn’t identified indicators of malicious exploitation of this vulnerability, RubyGems encourages all users to audit their applications for signs of potential tampering.