Interesting but fairly simple vuln in rubygems. It’s a design flaw or logic bug in the way versioning works when yanking a gem. You’re only supposed to be able to yank a gem that you / your API key has ownership over for obvious reasons. The problem is, rubygems would use a user-provided slug for the version of the package, and it wouldn’t take into account the fact a user could intentionally use the slug to collide with a different package name.

The example they give is if an attacker had a package called rails-html. If there was a victim package such as rails-html-sanitizer-1.4.2, an attacker can use the version slug to build up that package name and yank it.