Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

RubyGems Fixes Critical Gem Takeover Vulnerability

RubyGems has addressed a critical vulnerability that could have allowed any RubyGems.org user to remove and replace certain Ruby gems.

A package hosting service for the Ruby programming language, RubyGems.org hosts more than 170,000 gems. RubyGems also functions as a package manager.

RubyGems has addressed a critical vulnerability that could have allowed any RubyGems.org user to remove and replace certain Ruby gems.

A package hosting service for the Ruby programming language, RubyGems.org hosts more than 170,000 gems. RubyGems also functions as a package manager.

Tracked as CVE-2022-29176, the recently addressed vulnerability impacts the ‘yank’ action, and could be abused by any user on RubyGems.org to remove certain gems from the repository.

The unauthorized user could then replace the yanked gems with malicious ones having the same name, same version number, and different platform.

According to RubyGems’ maintainers, vulnerable packages were those with at least one dash in their names, where the word before the dash was the name of a gem controlled by the attacker, and which were created within 30 days or hadn’t been updated for more than 100 days.

“For example, the gem something-provider could have been taken over by the owner of the gem something. Organizations with many gems were not vulnerable as long as they owned the gem with the name before the dash, for example owning the gem orgname protected all gems with names like orgname-provider,” the maintainers explain.

RubyGems does not believe that the vulnerability has been exploited, given that all gem owners are notified when a gem version is published or removed, and no reports of unauthorized removal have been received.

“An audit of gem changes for the last 18 months did not find any examples of this vulnerability being used in a malicious way. A deeper audit for any possible use of this exploit is ongoing, and we will update this advisory once it is complete,” RubyGems says.

Advertisement. Scroll to continue reading.

The issue was resolved with the addition of a check to verify that the user is authorized to access the gem when attempting to yank it, independent developer Greg Molnar says.

Although it hasn’t identified indicators of malicious exploitation of this vulnerability, RubyGems encourages all users to audit their applications for signs of potential tampering.

Related: 1,300 Malicious Packages Found in Popular npm JavaScript Package Manager

Related: GitLab Releases Open Source Tool for Hunting Malicious Code in Dependencies

Related: Software Dependencies Exposed Microsoft, Apple to High-Impact Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.