First published: Wed May 29 2024(Updated: )
Rubygems.org is the Ruby community's gem hosting service. A Gem publisher can cause a Remote DoS when publishing a Gem. This is due to how Ruby reads the Manifest of Gem files when using Gem::Specification.from_yaml. from_yaml makes use of SafeYAML.load which allows YAML aliases inside the YAML-based metadata of a gem. YAML aliases allow for Denial of Service attacks with so-called `YAML-bombs` (comparable to Billion laughs attacks). This was patched. There is is no action required by users. This issue is also tracked as GHSL-2024-001 and was discovered by the GitHub security lab.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
RubyGems |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2024-35221 is considered a critical vulnerability due to its potential for causing a Remote Denial of Service (DoS) when a Gem is published.
To mitigate CVE-2024-35221, ensure that your RubyGems environment is updated to the latest version that incorporates fixes for the vulnerability.
CVE-2024-35221 affects systems using RubyGems, particularly the RubyGems.org service for publishing Gems.
CVE-2024-35221 exploits the way Ruby reads the Manifest of Gem files via Gem::Specification.from_yaml, leading to possible Remote DoS.
Yes, any registered Gem publisher can exploit CVE-2024-35221 by crafting specific Gem files to trigger the vulnerability.