Cyber Resilience

CVE-2022-29176

Critical

Published: 05 May 2022

Published
05 May 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0057 69.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-29176 is a critical-severity Missing Authorization (CWE-862) vulnerability in Rubygems Rubygems.Org. Its CVSS base score is 9.9 (Critical).

Operationally, ranked in the top 30.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Rubygems is a package registry used to supply software for the Ruby language ecosystem. Due to a bug in the yank action, it was possible for any RubyGems.org user to remove and replace certain gems even if that user was…

more

not authorized to do so. To be vulnerable, a gem needed: one or more dashes in its name creation within 30 days OR no updates for over 100 days At present, we believe this vulnerability has not been exploited. RubyGems.org sends an email to all gem owners when a gem version is published or yanked. We have not received any support emails from gem owners indicating that their gem has been yanked without authorization. An audit of gem changes for the last 18 months did not find any examples of this vulnerability being used in a malicious way. A deeper audit for any possible use of this exploit is ongoing, and we will update this advisory once it is complete. Using Bundler in --frozen or --deployment mode in CI and during deploys, as the Bundler team has always recommended, will guarantee that your application does not silently switch to versions created using this exploit. To audit your application history for possible past exploits, review your Gemfile.lock and look for gems whose platform changed when the version number did not change. For example, gemname-3.1.2 updating to gemname-3.1.2-java could indicate a possible abuse of this vulnerability. RubyGems.org has been patched and is no longer vulnerable to this issue as of the 5th of May 2022.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

rubygems
rubygems.org
all versions

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-862 CWE-863

Requiring an access control policy ensures authorization checks are defined and applied for critical functions.

addresses: CWE-862 CWE-863

Reviews of access controls detect missing authorization checks on critical functions or resources.

addresses: CWE-862 CWE-863

Requiring attribute association with information prevents authorization from being performed without necessary security or privacy context.

addresses: CWE-862 CWE-863

Mandating authorization prior to allowing remote connections addresses missing authorization for remote access.

addresses: CWE-862 CWE-863

Mandating authorization before wireless connections are allowed prevents missing authorization for wireless access.

addresses: CWE-862 CWE-863

The control requires authorization before allowing mobile device connections, directly mitigating missing authorization for system access.

addresses: CWE-862 CWE-863

Requiring approvals for account creation and specifying authorizations ensures authorization is not missing for system access.

addresses: CWE-862 CWE-863

Mandates authorization checks before permitting access or data processing via external systems.

References