Login Sign Up

CVE-2022-29218

7.7 HIGH

📋 TL;DR

A cache poisoning vulnerability in RubyGems allowed malicious packages to temporarily replace legitimate gems in CDN caches when platform names ended with numbers. This affected all Ruby applications downloading gems from RubyGems.org during the vulnerable period. The vulnerability could have led to supply chain attacks but was never exploited according to RubyGems maintainers.

💻 Affected Systems

Products:
  • RubyGems.org
Versions: All versions before patch deployment on May 6, 2022
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects RubyGems.org registry, not local RubyGems installations. Gems with platform names ending in numbers (like 'arm64-darwin-21') were potentially vulnerable.

📦 What is this software?

Rubygems.org by Rubygems

View all CVEs affecting Rubygems.org →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could replace legitimate gems with malicious versions, leading to remote code execution, data theft, or backdoor installation in dependent applications.

🟠

Likely Case

If exploited, malicious packages could be served to users from CDN caches, potentially compromising applications that download affected gems.

🟢

If Mitigated

With proper verification of gem checksums, the impact is minimal as users can detect tampered packages before installation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: NO
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

No evidence of exploitation found. Attack would require uploading specially crafted gem packages to trigger cache poisoning.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: RubyGems.org patched on May 6, 2022

Vendor Advisory: https://github.com/rubygems/rubygems.org/security/advisories/GHSA-2jmx-8mh8-pm8w

Restart Required: No

Instructions:

1. RubyGems.org has been patched automatically. 2. Users should verify gem checksums match RubyGems.org database. 3. No action needed for RubyGems client software.

🔧 Temporary Workarounds

Verify gem checksums

all

Manually verify SHA256 checksums of downloaded gems match those recorded in RubyGems.org database

gem fetch gemname
sha256sum gemname-version.gem
# Compare with checksum from RubyGems.org API

🧯 If You Can't Patch

  • Verify checksums of all gems downloaded during vulnerable period (before May 6, 2022)
  • Consider using gem mirror or local cache with verified checksums

🔍 How to Verify

Check if Vulnerable:

Check if you downloaded gems from RubyGems.org between vulnerability introduction and May 6, 2022 patch

Check Version:

Not applicable - vulnerability was in RubyGems.org service, not client software

Verify Fix Applied:

RubyGems.org is patched. Verify gem checksums match RubyGems.org database entries.

📡 Detection & Monitoring

Log Indicators:

  • Unusual gem download patterns
  • Mismatched checksum warnings in build logs

Network Indicators:

  • Requests to RubyGems.org for gems with platform names ending in numbers

SIEM Query:

source="rubygems" AND (checksum_mismatch OR platform=~"*\d$")

📊 Metadata

CVE ID: CVE-2022-29218
CVSS v3 Score: 7.7 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
CWE: CWE-269
Published: May 13, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-29218, you might also want to check these:

CVE-2023-48419 10.0

This vulnerability allows an attacker within Wi-Fi range of a Google Home device to spy on the victi...

Same vulnerability type (CWE-269)
CVE-2025-20282 10.0

This critical vulnerability in Cisco ISE and ISE-PIC allows unauthenticated remote attackers to uplo...

Same vulnerability type (CWE-269)
CVE-2022-24783 10.0

This critical vulnerability in Deno runtime allows malicious code to bypass all permission checks an...

Same vulnerability type (CWE-269)