Login Sign Up

CVE-2022-29176

9.9 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability in RubyGems.org allowed unauthorized users to remove and replace certain gems from the package registry. It affected gems with dashes in their name that were either created within 30 days or hadn't been updated for over 100 days. The vulnerability could lead to supply chain attacks where malicious code is injected into legitimate packages.

💻 Affected Systems

Products:
  • RubyGems.org
Versions: All versions before May 5, 2022 patch
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects gems meeting specific criteria: names with dashes AND (created within 30 days OR no updates for over 100 days)

📦 What is this software?

Rubygems.org by Rubygems

View all CVEs affecting Rubygems.org →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers replace widely-used gems with malicious versions, leading to supply chain compromise affecting thousands of applications and potential data breaches.

🟠

Likely Case

Targeted attacks against specific gems to inject backdoors or steal credentials from applications using those gems.

🟢

If Mitigated

Applications using Bundler in frozen/deployment mode are protected from silent version switches, limiting impact to audit and cleanup.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: NO
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires RubyGems.org user account but not gem ownership authorization. No evidence of exploitation found in audits.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: RubyGems.org patched on May 5, 2022

Vendor Advisory: https://github.com/rubygems/rubygems.org/security/advisories/GHSA-hccv-rwq6-vh79

Restart Required: No

Instructions:

1. RubyGems.org has been patched server-side. 2. No client-side action required for the vulnerability itself. 3. Users should audit their Gemfile.lock for suspicious changes.

🔧 Temporary Workarounds

Use Bundler frozen/deployment mode

all

Prevents silent gem version switches by locking dependencies

bundle install --frozen
bundle install --deployment

🧯 If You Can't Patch

  • Audit Gemfile.lock for gems where platform changed without version change (e.g., gemname-3.1.2 to gemname-3.1.2-java)
  • Implement dependency pinning and review all gem updates before deployment

🔍 How to Verify

Check if Vulnerable:

Check if you used RubyGems.org before May 5, 2022 and have gems meeting the vulnerable criteria

Check Version:

Not applicable - server-side fix

Verify Fix Applied:

RubyGems.org has been patched server-side. Verify by checking advisory status and auditing your Gemfile.lock

📡 Detection & Monitoring

Log Indicators:

  • Unexpected gem yank notifications
  • Gem version changes without owner action

Network Indicators:

  • Unexpected gem downloads from RubyGems.org

SIEM Query:

Search for gem yank events where actor != gem owner

📊 Metadata

CVE ID: CVE-2022-29176
CVSS v3 Score: 9.9 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-862
Published: May 5, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-29176, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)
CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)
CVE-2024-6500 10.0

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress ...

Same vulnerability type (CWE-862)