What is CVE-2022-29218?

CVE-2022-29218 is a vulnerability in RubyGems, a package registry used for the Ruby language ecosystem.

What is the severity of CVE-2022-29218?

CVE-2022-29218 has a severity level of high (7.5).

How does CVE-2022-29218 affect RubyGems?

CVE-2022-29218 allows malicious packages to temporarily replace certain gems in the CDN cache.

What is the fix for CVE-2022-29218?

To fix CVE-2022-29218, users should update to the latest version of RubyGems and clear their CDN caches.

Where can I find more information about CVE-2022-29218?

You can find more information about CVE-2022-29218 in the references provided: [GitHub Security Advisory](https://github.com/rubygems/rubygems.org/security/advisories/GHSA-2jmx-8mh8-pm8w) and [NetApp Security Advisory](https://security.netapp.com/advisory/ntap-20220629-0010/).

Vulnerability/
CVE-2022-29218

high

7.7

CWE

269 290 863

12/5/2022

3/8/2024

CVE-2022-29218: Unauthorized takeover for new versions of some platform-specific gems

First published: Thu May 12 2022(Updated: )

RubyGems is a package registry used to supply software for the Ruby language ecosystem. An ordering mistake in the code that accepts gem uploads allowed some gems (with platforms ending in numbers, like `arm64-darwin-21`) to be temporarily replaced in the CDN cache by a malicious package. The bug has been patched, and is believed to have never been exploited, based on an extensive review of logs and existing gems by rubygems. The easiest way to ensure that an application has not been exploited by this vulnerability is to verify all downloaded .gems checksums match the checksum recorded in the RubyGems.org database. RubyGems.org has been patched and is no longer vulnerable to this issue.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Rubygems Rubygems.org

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2022-29218?
CVE-2022-29218 is a vulnerability in RubyGems, a package registry used for the Ruby language ecosystem.
What is the severity of CVE-2022-29218?
CVE-2022-29218 has a severity level of high (7.5).
How does CVE-2022-29218 affect RubyGems?
CVE-2022-29218 allows malicious packages to temporarily replace certain gems in the CDN cache.
What is the fix for CVE-2022-29218?
To fix CVE-2022-29218, users should update to the latest version of RubyGems and clear their CDN caches.
Where can I find more information about CVE-2022-29218?
You can find more information about CVE-2022-29218 in the references provided: [GitHub Security Advisory](https://github.com/rubygems/rubygems.org/security/advisories/GHSA-2jmx-8mh8-pm8w) and [NetApp Security Advisory](https://security.netapp.com/advisory/ntap-20220629-0010/).

collector/nvd-index
agent/references
agent/type
collector/mitre-cve
source/MITRE
agent/weakness
agent/last-modified-date
agent/title
agent/severity
agent/author
agent/tags
agent/softwarecombine
agent/first-publish-date
agent/description
agent/event
vendor/rubygems
canonical/rubygems rubygems.org

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.