CVE-2022-29176 Unauthorized gem takeover for some gems on rubygems.org

Rubygems is a package registry used to supply software for the Ruby language ecosystem. Due to a bug in the yank action, it was possible for any RubyGems.org user to remove and replace certain gems even if that user was not authorized to do so. To be vulnerable, a gem needed: one or more dashes i...

CVE-2022-29176 Unauthorized gem takeover for some gems on rubygems.org

Rubygems is a package registry used to supply software for the Ruby language ecosystem. Due to a bug in the yank action, it was possible for any RubyGems.org user to remove and replace certain gems even if that user was not authorized to do so. To be vulnerable, a gem needed: one or more dashes i...

CVE-2022-29176

CVE-2022-29176 affects RubyGems.org via a yank-action bug that allowed an authorized-appearing gem name (containing a dash) to be removed or replaced with a rogue file when the gem was created within 30 days or had no updates for over 100 days. Multiple trusted sources (NVD, Red Hat, CVE list, an...

PT-2022-2574 · Bundler +1 · Bundler +1

Name of the Vulnerable Software and Affected Versions: RubyGems.org affected versions not specified Description: The issue is related to a bug in the yank action of RubyGems.org, allowing any user to remove and replace certain gems without authorization. A gem is vulnerable if it has one or more...