RubyGems is a widely used package registry for the Ruby language ecosystem. It was recently discovered that due to a bug in the yank action, a user could remove and replace certain gems without proper authorization. This raises concerns about the possibility of exploiting this vulnerability for malicious purposes. Fortunately, we believe this vulnerability has not been exploited, and we have taken immediate actions to remediate the issue in RubyGems.org. This post will discuss the vulnerability in detail, provide code snippets, and share links to original references to make you aware of the potential consequences and ways to stay protected.

Exploit Details

In order to be vulnerable, a gem must have one or more dashes in its name and must have been created within 30 days or have no updates for over 100 days. This specific bug allowed any RubyGems.org user who wasn't authorized to remove and replace certain gems, possibly causing unintended consequences. Although there is no indication that this vulnerability has been exploited, it is crucial to be aware of such threats to maintain the security of your projects.

Here is an example of how a gem's version could be yanked and replaced with an unauthorized version

Original Gem Name: example-gem-.1.
Yanked Gem Name:  example-gem-.1.
Unauthorized Replacement Gem Name: example-gem-.1.-java

- CVE-2022-29176 - RubyGems Advisory
- RubyGems.org Security Advisory

Audit and Protective Measures

While auditing gem changes for the last 18 months, we have not found any examples of this vulnerability being used in a malicious way. However, a deeper audit is ongoing, and we will update this advisory once it is complete.

As a precautionary measure, we recommend using Bundler in --frozen or --deployment mode in CI and during deploys, as the Bundler team has always advised. This guarantees that your application does not silently switch to versions created using this exploit. You can also check your Gemfile.lock for possible past exploits. If a gem's platform changed without the version number changing, such as "gemname-3.1.2" updating to "gemname-3.1.2-java," it could indicate a possible abuse of this vulnerability.

Patch

RubyGems.org has been patched and is no longer vulnerable to this issue as of the 5th of May 2022. We encourage everyone to stay vigilant and keep an eye on potential security threats to ensure the reliability and security of your projects.

Timeline

Published on: 05/05/2022 22:15:00 UTC
Last modified on: 06/16/2022 15:15:00 UTC