RubyGems package manager staff considered a critical security flaw that in certain circumstances could be used to remove gems and replace them with fake versions.
“Due to a yank error, any RubyGems.org user could remove and replace certain gems, even if that user was not authorized to do so,” RubyGems said. said in the Security Recommendation published on May 6, 2022.
In a nutshell, the flaw in question, tracked as CVE-2022-29176, allowed anyone to extract certain gems and upload different files with the same name, the same version number and different platforms.
However, for this to happen, the gemstone must have one or more dashes in the title, where the word before the dash was the name of the gemstone controlled by the attacker, and which was created within 30 days or not renewed for more than 100 days.
“For example, the gemstone ‘something-supplier’ could be given to the owners of the gemstone ‘something’,” the project owners explained.
Project officials said there was no evidence that the vulnerability had been exploited in the wild, adding that it had not received emails of support from gemstone owners warning them to remove libraries without permission.
“An audit of changes in gems over the past 18 months has found no examples of this vulnerability being exploited in a harmful way,” the staff said. “A deeper audit for any possible use of this exploit continues.”
The disclosure comes after NPM eliminated several flaws in its platform that could be used to facilitate attacks on account hijacking and publishing malicious packages.
The main one is the threat of the supply chain batch landing allowing attackers to pass fraudulent libraries as legitimate by simply passing them on to reliable, popular supporters without their knowledge.