Get in Touch
RubyGems fixes package takeover bug
RubyGems package repository have fixed a package takeover vulnerability (CVE-2022-29176) which could have allowed a malicious user to “yank certain gems and upload different files with the same name, same version number, and different platform”.
A malicious user could have replaced legitimate libraries with malicious code.
To audit your application history for possible past exploits, review your Gemfile.lock and look for gems whose platform changed when the version number did not change. For example, gemname-3.1.2 updating to gemname-3.1.2-java could indicate a possible abuse of this vulnerability.
To be vulnerable, a gem needed:
- one or more dashes in its name
- an attacker-controlled gem with the name before the dash
- creation within 30 days OR no updates for over 100 days.
Containment, Mitigations & Remediations
RubyGems.org has been patched and is no longer vulnerable to this issue.
Indicators of Compromise
An audit of gem changes for the last 18 months did not find any examples of this vulnerability being used maliciously.
Attacks against package libraries are becoming more common as they allow an actor to compromise many victims at once.
T1199 – Trusted Relationship
Unauthorized gem takeover for some gems