4 matches found
CVE-2024-35221
CVE-2024-35221 targets Rubygems.org’s gem publishing workflow. A Gem publisher could trigger a Remote DoS by publishing a Gem whose metadata is parsed with Gem::Specification.from_yaml, which uses SafeYAML.load and permits YAML aliases, enabling YAML-bomb style DoS. The issue is documented as pat...
CVE-2024-21654
CVE-2024-21654 affects Rubygems.org, the Ruby package hosting service. A flaw in the forgotten-password flow allows bypassing MFA, enabling account takeover. Root cause: a workaround in the password-reset form. Impact: high (CVE details indicate potential total compromise of an affected account)....
CVE-2023-40165
rubygems.org is the Ruby community's primary gem library hosting service. Insufficient input validation allowed malicious actors to replace any uploaded gem version that had a platform, version number, or gem name matching /-\d/, permanently replacing the legitimate upload in the canonical gem...
Input validation
rubygems.org is the Ruby community's primary gem library hosting service. Insufficient input validation allowed malicious actors to replace any uploaded gem version that had a platform, version number, or gem name matching /-\d/, permanently replacing the legitimate upload in the canonical gem...