Vulnerability Report

CVE-2022-29218

Title: RubyGems platform manipulation vulnerability

Supply Chain Attack

Proof Of Concept

No public PoC currently indexed for CVE-2022-29218.

CWE Category CWE-863

Published Date May 13, 2022

Modified Date Nov 21, 2024

Exploit Status Not Found

Score 7.7 CVSS v3.1

Exploit Probability (EPSS)

0.49%

Vulnerability Summary

CVE-2022-29218: RubyGems is a package registry used to supply software for the Ruby language ecosystem. An ordering mistake in the code that accepts gem uploads allowed some gems (with platforms ending in numbers, like `arm64-darwin-21`) to be temporarily replaced in the CDN cache by a malicious package. The bug has been patched, and is believed to have never been exploited, based on an extensive review of logs and existing gems by rubygems. The easiest way to ensure that an application has not been exploited by this vulnerability is to verify all downloaded .gems checksums match the checksum recorded in the RubyGems.org database. RubyGems.org has been patched and is no longer vulnerable to this issue.

Impacted Vendors

rubygems 1

Reference Links

https://github.com/rubygems/rubygems.org/security/advisories/GHSA-2jmx-8mh8-pm8w https://security.netapp.com/advisory/ntap-20220629-0010/ https://github.com/rubygems/rubygems.org/security/advisories/GHSA-2jmx-8mh8-pm8w https://security.netapp.com/advisory/ntap-20220629-0010/

CVSS v3.1

Source Entity [email protected]

Severity HIGH

7.7

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

CHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

CVSS v3.1

Source Entity [email protected]

Severity HIGH

7.5

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v2.0

Source Entity [email protected]

Severity MEDIUM

5.0

Access Vector

N/A

Authentication

N/A

RAW VECTOR AV:N/AC:L/Au:N/C:N/I:P/A:N

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2022-29218 Exploits & PoCs (Proof Of Concept)

No public PoCs found in our database for this CVE.

November 21, 2024 MODIFIED

Vulnerability data or affected products updated.

May 13, 2022 PUBLISHED

Vulnerability first announced in NVD.

Attack Vector Matrix

Access Vector NETWORK

Complexity LOW

Privileges N/A

Interaction NONE

CVSS Vector String


                                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

Affected Stack

No specific products linked.