rubygems CVE-2022-29176 explained
Original Post:
We discussed this vulnerability during Episode 145 on 16 May 2022
Interesting but fairly simple vuln in rubygems. It’s a design flaw or logic bug in the way versioning works when yanking a gem. You’re only supposed to be able to yank a gem that you / your API key has ownership over for obvious reasons. The problem is, rubygems would use a user-provided slug for the version of the package, and it wouldn’t take into account the fact a user could intentionally use the slug to collide with a different package name.
The example they give is if an attacker had a package called rails-html
. If there was a victim package such as rails-html-sanitizer-1.4.2
, an attacker can use the version slug to build up that package name and yank it.