This site may contain outdated or incomplete information.
RubyGems Package Overwrite Flaw
This security bug has been identified as CVE-2022-29176 and affects the RubyGems.org website which is the home of open source libraries for the Ruby developer ecosystem.
Impact
A security bug allowed anyone to remove legitimate packages on the RubyGems open source registry for Ruby, and then republish the same packages as new, with modified code and potentially malicious contents.
Even though exploiting this vulnerability requires specific conditions to apply, such as a gem has to be of specific naming convention, its impact could still be devastating if it were to go unnoticed.
As of yet, the RubyGems.org website maintainers haven’t confirmed any known cases of malicious exploitation they are aware of.
Type of Compromise
This incident fits the Dev Tooling definition.
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.