Home / About / Threat Intelligence / RubyGems fixes package takeover bug

Overview

RubyGems package repository have fixed a package takeover vulnerability (CVE-2022-29176) which could have allowed a malicious user to “yank certain gems and upload different files with the same name, same version number, and different platform”.

Impact

A malicious user could have replaced legitimate libraries with malicious code.

Vulnerability Detection

To audit your application history for possible past exploits, review your Gemfile.lock and look for gems whose platform changed when the version number did not change. For example, gemname-3.1.2 updating to gemname-3.1.2-java could indicate a possible abuse of this vulnerability.

Affected Products

To be vulnerable, a gem needed:

  • one or more dashes in its name
  • an attacker-controlled gem with the name before the dash
  • creation within 30 days OR no updates for over 100 days.

Containment, Mitigations & Remediations

RubyGems.org has been patched and is no longer vulnerable to this issue.

Indicators of Compromise

An audit of gem changes for the last 18 months did not find any examples of this vulnerability being used maliciously.

Threat Landscape

Attacks against package libraries are becoming more common as they allow an actor to compromise many victims at once.

Mitre Methodologies

T1199 – Trusted Relationship

Further Information

Unauthorized gem takeover for some gems

RubyGems CVE-2022-29176 explained