1. Home
  2. Security Advisories
  3. Maven
  4. MAVEN:GHSA-MC6J-H948-V2P6

[MAVEN:GHSA-MC6J-H948-V2P6] RubyGems Improper Verification of Cryptographic Signature vulnerability

Severity Critical
Affected Packages 2
Fixed Packages 2
CVEs 1
Info Packages References Vulnerabilities

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, and Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contain an Improper Verification of Cryptographic Signature vulnerability in package.rb. This can result in a mis-signed gem being installed, as the tarball would contain multiple gem signatures. This vulnerability has been fixed in 2.7.6.

Package Affected Version
pkg:maven/rubygems-update >= 2.2.0, < 2.7.6
pkg:maven/org.jruby/jruby-stdlib < 9.1.16.0
Package Fixed Version
pkg:maven/rubygems-update = 2.7.6
pkg:maven/org.jruby/jruby-stdlib = 9.1.16.0
ID
MAVEN:GHSA-MC6J-H948-V2P6
Severity
critical
URL
https://github.com/advisories/GHSA-mc6j-h948-v2p6
Published
2022-05-14T01:01:12
(2 years ago)
Modified
2023-03-08T19:49:22
(18 months ago)
Rights
Maven Security Team
Other Advisories
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/rubygems-update rubygems-update >= 2.2.0 < 2.7.6
Fixed pkg:maven/rubygems-update rubygems-update = 2.7.6
Affected pkg:maven/org.jruby/jruby-stdlib org.jruby jruby-stdlib < 9.1.16.0
Fixed pkg:maven/org.jruby/jruby-stdlib org.jruby jruby-stdlib = 9.1.16.0
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date