RubyGems Package Manager contains a critical Gems Takeover bug

0

RubyGems Package Manager contains a critical Gems Takeover bug ,The RubyGems package manager’s maintainers have patched a significant security hole that could have been exploited to uninstall gems and replace them with rogue versions under certain conditions.

“Any RubyGems.org user might remove and replace certain gems even if that user was not permitted to do so due to a fault in the yank operation,” RubyGems warned in a security alert released on May 6, 2022.

RubyGems is a package management and gem hosting service for the Ruby programming language, similar to npm for JavaScript and pip for Python. It has over 171,500 libraries in its repository.

In a nutshell, the bug in question, known as CVE-2022-29176, allowed anyone to pluck specific gems and upload multiple files with the same name, version number, and platform.

However, a gem with one or more dashes in its name, with the word before the dash being the name of an attacker-controlled gem, and that was created within 30 days or had no changes for over 100 days, was required for this to happen.

The project owners noted, “For example, the gem’something-provider’ may have been taken over by the owner of the gem’something.'”

According to the project’s maintainers, there is no evidence that the vulnerability has been exploited in the wild, and it hasn’t received any support emails from gem owners alerting them to the libraries being removed without permission.

“An examination of gem updates over the last 18 months revealed no instances of this vulnerability being exploited maliciously,” the maintainers added. “A more thorough investigation into the exploit’s potential uses is continuing.”

The news comes as NPM patched a number of issues in its platform that could have been used to aid account takeover assaults and distribute malicious packages.

One of the most dangerous is package planting, a supply chain issue that allows malicious actors to pass off rogue libraries as legal merely by assigning them to trustworthy, popular maintainers without their awareness.

Have you enjoyed reading this article? To read more exclusive material from THN, follow us on Facebook. RubyGems Package Manager contains a critical Gems Takeover bug.

اترك رد

لن يتم نشر عنوان بريدك الإلكتروني.