The maintainers of the RubyGems package deal supervisor have addressed a crucial safety flaw that might have been abused to take away gems and change them with rogue variations below particular circumstances.
“Due to a bug in the yank action, it was possible for any RubyGems.org user to remove and replace certain gems even if that user was not authorized to do so,” RubyGems mentioned in a safety advisory printed on May 6, 2022.
In a nutshell, the flaw in query, tracked as CVE-2022-29176, enabled anybody to drag sure gems and add totally different information with the identical identify, similar model quantity, and totally different platforms.
For this to occur, nonetheless, a gem wanted to have a number of dashes in its identify, the place the phrase earlier than the sprint was the identify of an attacker-controlled gem, and which was created inside 30 days or had no updates for over 100 days.
“For example, the gem ‘something-provider’ could have been taken over by the owner of the gem ‘something,'” the undertaking house owners defined.
The undertaking maintainers mentioned that there isn’t a proof that the vulnerability has been exploited within the wild, including it did not obtain any assist emails from gem house owners alerting them to the elimination of the libraries with out authorization.
“An audit of gem changes for the last 18 months did not find any examples of this vulnerability being used in a malicious way,” the maintainers mentioned. “A deeper audit for any possible use of this exploit is ongoing.”
The disclosure comes as NPM addressed a number of flaws in its platform that might have been weaponized to facilitate account takeover assaults and publish malicious packages.
Chief amongst them is a provide chain risk known as package deal planting that allows malicious actors to go off rogue libraries as respectable just by assigning them to trusted, common maintainers with out their data.