RubyGems fixes unauthorized package takeover bug



The RubyGems package repository has mounted a critical vulnerability that would make it possible for anyone to unpublish (“yank”) selected Ruby packages from the repository and republish their tainted or destructive variations with the exact same file names and version figures.

Assigned CVE-2022-29176, the essential flaw existed on, which is the Ruby-equal of, and hosts over 170,000 Ruby packages (gems) with almost 100 billion downloads served over its life time.

An original audit from RubyGems reveals that the vulnerability has not been exploited within just the last 18 months to change any gems, but a deeper audit is still in development with final results yet to be announced.

Hijacking a gem: yank, alter, republish

This week, RubyGems announced that a critical bug could’ve enabled any user to yank versions of a gem that they failed to have authorization for, and switch the gem’s contents with newer documents.

Similar to npm for NodeJS offers, RubyGems is a bundle manager for the Ruby programming language and delivers a standardized format for distributing completed Ruby artifacts (named “gems”). The registry is the community’s gem internet hosting services allowing for builders to quickly publish or install gems and use a set of specialized APIs.

Need to a threat actor become mindful of these types of a flaw, they could quietly replace the contents of legitimate Ruby deals with malware—something which has echoes of npm’s popular ua-parser-js, coa, and rc libraries that were hijacked final 12 months to distribute crypto miners and password stealers.

Despite the fact that the npm hijacking incidents stemmed from maintainer account compromises rather than a vulnerability exploit, they wreaked havoc as libraries like ‘ua-parser-js’ have been used by more than a thousand projects, like all those used by Fb, Microsoft, Amazon, Instagram, Google, Slack, Mozilla, Discord, Elastic, Intuit, Reddit, and quite a few much more perfectly-acknowledged organizations.

In Ruby’s case, mass exploitation of such an exploit could lead to widespread damage to the Ruby ecosystem and in general software package supply chain stability.

To exploit the vulnerability, RubyGems points out, the subsequent conditions need to be met:

  • The gem becoming targeted has one or more dashes in its title, e.g. some thing-provider.
  • The phrase that will come ahead of the 1st dash represents an attacker-controlled gem that exists on
  • The gem being yanked/altered was either created in just the past 30 days or had not been updated in over 100 days.

“For illustration, the gem something-provider could have been taken over by the operator of the gem a thing,” points out RubyGems.

“Businesses with numerous gems have been not susceptible as long as they owned the gem with the identify in advance of the sprint, for illustration owning the gem orgname shielded all gems with names like orgname-supplier.”

This vulnerability, assigned CVE-2022-29176, lurked in the “yank action” of RubyGems code and has now been preset.

Impartial developer and pentester, Greg Molnar has explained the flaw in a very little much more specialized depth.

At this time, maintainers do not think the vulnerability has been exploited, in accordance to the success of an audit that analyzed gem alterations made around the previous 18 months on the platform.

But the registry proprietors state that a further audit is ongoing and its success will abide by in the safety advisory posted for this vulnerability, which also includes some mitigations.

“ sends an email to all gem owners when a gem variation is published or yanked. We have not received any assist e-mails from gem proprietors indicating that their gem has been yanked without having authorization,” states the advisory.

RubyGem builders can audit their software record for feasible past exploits by reviewing their Gemfile.lock and hunting for gems that had their platform modified with model numbers remaining unchanged.

For instance, seeing your gemname-3.1.2 gem renamed to gemname-3.1.2-java is one possible signal of the vulnerability obtaining been exploited.

User laursisask has been credited with reporting the vulnerability via HackerOne.


May well 8th, 5:17 PM ET: Extra information on how to check out if your gem has been exploited via this flaw. 

Might 8th, 5:35 PM ET: Included link to Molnar’s technological assessment of the flaw.


Resource connection