Critical Gems takeover bug reported in RubyGems package manager

Maintainers of the RubyGems package manager have fixed a critical security flaw that could have been abused to remove gems and replace them with malicious versions under specific circumstances.

“Due to a bug in the Yank Action, it was possible for any RubyGems.org user to remove and replace certain gems even if that user was not authorized to do so,” RubyGems said in a notice. security published on May 6, 2022.

RubyGems, like npm for JavaScript and pip for Python, is a package manager and gem hosting service for the Ruby programming language, offering a repository of over 171,500 libraries.

In a nutshell, the flaw in question, identified as CVE-2022-29176, allowed anyone to mine certain gems and download different files with the same name, version number and different platforms.

For this to happen, however, a gem had to have one or more dashes in its name, where the word before the dash was the name of a gem controlled by the attacker, and which was created within 30 days or n haven’t had any updates for over 100 days. days.

“For example, the ‘provider of something’ gem could have been taken over by the owner of the ‘something’ gem,” the owners of the project explained.

Project officials said there was no evidence the vulnerability had been exploited in the wild, adding that they had not received any support emails from gem owners alerting them to the removal of the gems. libraries without permission.

“An audit of gem modifications over the past 18 months found no examples of malicious use of this vulnerability,” the officials said. “Further auditing for any possible use of this exploit is underway.”

The disclosure comes as NPM patched several flaws in its platform that could have been weaponized to facilitate account takeover attacks and release malicious packages.

Chief among them is a supply chain threat called package planting that allows malicious actors to pass off rogue libraries as legitimate simply by attributing them to trusted and popular maintainers without their knowledge.

Comments are closed.