RubyGems has issued a fix for a critical flaw, tracked as CVE-2022-29176, which could be exploited to facilitate gem removal and replacement in the Ruby programming language's package hosting service, SecurityWeek reports.
Unauthorized users could abuse the vulnerability to add malicious gems with similar names and version numbers but different platforms in the package hosting service, according to RubyGems maintainers. "
For example, the gem something-provider could have been taken over by the owner of the gem something. Organizations with many gems were not vulnerable as long as they owned the gem with the name before the dash, for example owning the gem orgname protected all gems with names like orgname-provider," said maintainers.
However, maintainers believe that the bug has not been exploited yet.
"An audit of gem changes for the last 18 months did not find any examples of this vulnerability being used in a malicious way. A deeper audit for any possible use of this exploit is ongoing, and we will update this advisory once it is complete," RubyGems said.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news