CVE-2022-29176: CWE-862: Missing Authorization in rubygems rubygems.org
Rubygems is a package registry used to supply software for the Ruby language ecosystem. Due to a bug in the yank action, it was possible for any RubyGems.org user to remove and replace certain gems even if that user was not authorized to do so. To be vulnerable, a gem needed: one or more dashes in its name creation within 30 days OR no updates for over 100 days At present, we believe this vulnerability has not been exploited. RubyGems.org sends an email to all gem owners when a gem version is published or yanked. We have not received any support emails from gem owners indicating that their gem has been yanked without authorization. An audit of gem changes for the last 18 months did not find any examples of this vulnerability being used in a malicious way. A deeper audit for any possible use of this exploit is ongoing, and we will update this advisory once it is complete. Using Bundler in --frozen or --deployment mode in CI and during deploys, as the Bundler team has always recommended, will guarantee that your application does not silently switch to versions created using this exploit. To audit your application history for possible past exploits, review your Gemfile.lock and look for gems whose platform changed when the version number did not change. For example, gemname-3.1.2 updating to gemname-3.1.2-java could indicate a possible abuse of this vulnerability. RubyGems.org has been patched and is no longer vulnerable to this issue as of the 5th of May 2022.
AI Analysis
Technical Summary
CVE-2022-29176 is a medium-severity vulnerability classified under CWE-862 (Missing Authorization) affecting RubyGems.org, the primary package registry for the Ruby programming language ecosystem. The vulnerability arises from a flaw in the 'yank' action, which is used to remove specific gem versions from the registry. Due to improper authorization checks, any authenticated RubyGems.org user could remove and replace certain gems without being the legitimate owner or maintainer. The vulnerability specifically affected gems that met one of two conditions: either the gem name contained one or more dashes and was created within the last 30 days, or the gem had not been updated for over 100 days. This scope limited the attack surface but still posed a risk to a subset of packages. Exploiting this flaw could allow an attacker to replace a legitimate gem version with a malicious one, potentially injecting harmful code into downstream applications that depend on these gems. However, as of the advisory date, no known exploitation in the wild has been reported, and audits have not found evidence of malicious use. The RubyGems.org platform has since been patched as of May 5, 2022, to enforce proper authorization checks. Users are advised to audit their Gemfile.lock files for suspicious changes, such as platform changes without version increments (e.g., from gemname-3.1.2 to gemname-3.1.2-java), which could indicate exploitation. Additionally, using Bundler in '--frozen' or '--deployment' mode during continuous integration and deployment processes helps prevent silent adoption of compromised gem versions. Overall, this vulnerability highlights the risks associated with missing authorization controls in package management systems, which can undermine software supply chain integrity.
Potential Impact
For European organizations relying on Ruby and RubyGems for software development, this vulnerability could have significant implications. If exploited, attackers could inject malicious code into widely used Ruby gems, leading to potential compromise of applications, data breaches, or disruption of services. This is particularly critical for sectors with high reliance on Ruby-based applications, such as fintech, e-commerce, and public sector digital services. The supply chain nature of the vulnerability means that even organizations with strong internal security could be affected if they consume compromised gems. Although no exploitation has been detected, the risk of future attacks remains, especially if attackers target less monitored or legacy gems fitting the vulnerability criteria. The impact on confidentiality, integrity, and availability could be substantial if malicious gem versions execute unauthorized code, exfiltrate sensitive data, or cause application failures. European organizations with automated deployment pipelines that do not use Bundler's recommended modes may be more vulnerable to silently adopting compromised gems. Therefore, the threat poses a medium risk to the European software development ecosystem and downstream users of Ruby applications.
Mitigation Recommendations
1. Ensure RubyGems.org is updated to the patched version released on or after May 5, 2022, to eliminate the vulnerability at the source. 2. Audit all Ruby projects' Gemfile.lock files for suspicious platform changes without version increments, which may indicate exploitation. 3. Enforce the use of Bundler in '--frozen' or '--deployment' mode in all continuous integration and deployment pipelines to prevent automatic acceptance of altered gem versions. 4. Implement strict access controls and monitoring on package publishing and yanking actions within organizational RubyGems registries or mirrors. 5. Establish alerting mechanisms for unexpected gem version changes or yanking activities, especially for gems with dashes in their names or those not updated recently. 6. Educate developers and DevOps teams about supply chain risks and encourage verification of gem sources and integrity before deployment. 7. Consider using gem signing and verification features to ensure authenticity and integrity of dependencies. 8. Regularly review and update dependency management policies to include checks against known vulnerabilities in package registries.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Ireland, Belgium, Poland
CVE-2022-29176: CWE-862: Missing Authorization in rubygems rubygems.org
Description
Rubygems is a package registry used to supply software for the Ruby language ecosystem. Due to a bug in the yank action, it was possible for any RubyGems.org user to remove and replace certain gems even if that user was not authorized to do so. To be vulnerable, a gem needed: one or more dashes in its name creation within 30 days OR no updates for over 100 days At present, we believe this vulnerability has not been exploited. RubyGems.org sends an email to all gem owners when a gem version is published or yanked. We have not received any support emails from gem owners indicating that their gem has been yanked without authorization. An audit of gem changes for the last 18 months did not find any examples of this vulnerability being used in a malicious way. A deeper audit for any possible use of this exploit is ongoing, and we will update this advisory once it is complete. Using Bundler in --frozen or --deployment mode in CI and during deploys, as the Bundler team has always recommended, will guarantee that your application does not silently switch to versions created using this exploit. To audit your application history for possible past exploits, review your Gemfile.lock and look for gems whose platform changed when the version number did not change. For example, gemname-3.1.2 updating to gemname-3.1.2-java could indicate a possible abuse of this vulnerability. RubyGems.org has been patched and is no longer vulnerable to this issue as of the 5th of May 2022.
AI-Powered Analysis
Technical Analysis
CVE-2022-29176 is a medium-severity vulnerability classified under CWE-862 (Missing Authorization) affecting RubyGems.org, the primary package registry for the Ruby programming language ecosystem. The vulnerability arises from a flaw in the 'yank' action, which is used to remove specific gem versions from the registry. Due to improper authorization checks, any authenticated RubyGems.org user could remove and replace certain gems without being the legitimate owner or maintainer. The vulnerability specifically affected gems that met one of two conditions: either the gem name contained one or more dashes and was created within the last 30 days, or the gem had not been updated for over 100 days. This scope limited the attack surface but still posed a risk to a subset of packages. Exploiting this flaw could allow an attacker to replace a legitimate gem version with a malicious one, potentially injecting harmful code into downstream applications that depend on these gems. However, as of the advisory date, no known exploitation in the wild has been reported, and audits have not found evidence of malicious use. The RubyGems.org platform has since been patched as of May 5, 2022, to enforce proper authorization checks. Users are advised to audit their Gemfile.lock files for suspicious changes, such as platform changes without version increments (e.g., from gemname-3.1.2 to gemname-3.1.2-java), which could indicate exploitation. Additionally, using Bundler in '--frozen' or '--deployment' mode during continuous integration and deployment processes helps prevent silent adoption of compromised gem versions. Overall, this vulnerability highlights the risks associated with missing authorization controls in package management systems, which can undermine software supply chain integrity.
Potential Impact
For European organizations relying on Ruby and RubyGems for software development, this vulnerability could have significant implications. If exploited, attackers could inject malicious code into widely used Ruby gems, leading to potential compromise of applications, data breaches, or disruption of services. This is particularly critical for sectors with high reliance on Ruby-based applications, such as fintech, e-commerce, and public sector digital services. The supply chain nature of the vulnerability means that even organizations with strong internal security could be affected if they consume compromised gems. Although no exploitation has been detected, the risk of future attacks remains, especially if attackers target less monitored or legacy gems fitting the vulnerability criteria. The impact on confidentiality, integrity, and availability could be substantial if malicious gem versions execute unauthorized code, exfiltrate sensitive data, or cause application failures. European organizations with automated deployment pipelines that do not use Bundler's recommended modes may be more vulnerable to silently adopting compromised gems. Therefore, the threat poses a medium risk to the European software development ecosystem and downstream users of Ruby applications.
Mitigation Recommendations
1. Ensure RubyGems.org is updated to the patched version released on or after May 5, 2022, to eliminate the vulnerability at the source. 2. Audit all Ruby projects' Gemfile.lock files for suspicious platform changes without version increments, which may indicate exploitation. 3. Enforce the use of Bundler in '--frozen' or '--deployment' mode in all continuous integration and deployment pipelines to prevent automatic acceptance of altered gem versions. 4. Implement strict access controls and monitoring on package publishing and yanking actions within organizational RubyGems registries or mirrors. 5. Establish alerting mechanisms for unexpected gem version changes or yanking activities, especially for gems with dashes in their names or those not updated recently. 6. Educate developers and DevOps teams about supply chain risks and encourage verification of gem sources and integrity before deployment. 7. Consider using gem signing and verification features to ensure authenticity and integrity of dependencies. 8. Regularly review and update dependency management policies to include checks against known vulnerabilities in package registries.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2022-04-13T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d9843c4522896dcbf2f3b
Added to database: 5/21/2025, 9:09:23 AM
Last enriched: 6/23/2025, 8:36:53 AM
Last updated: 8/17/2025, 11:18:01 AM
Views: 18
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.