[RUBYSEC:RUBYGEMS-UPDATE-2018-1000076] RubyGems Improper Verification of Cryptographic Signature vulnerability

Severity Critical

Affected Packages 2

Unaffected Packages 1

Fixed Packages 1

CVEs 1

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, and Ruby 2.5 series: 2.5.0
and earlier, prior to trunk revision 62422 contain an Improper Verification of Cryptographic
Signature vulnerability in package.rb. This can result in a mis-signed gem being
installed, as the tarball would contain multiple gem signatures. This vulnerability
has been fixed in 2.7.6.

Package	Affected Version
pkg:gem/rubygems-update	< 2.7.6
pkg:gem/rubygems-update	= 2.2.0

Package	Unaffected Version
pkg:gem/rubygems-update	< 2.2.0

Package	Fixed Version
pkg:gem/rubygems-update	>= 2.7.6

ID

RUBYSEC:RUBYGEMS-UPDATE-2018-1000076

Severity

critical

URL

https://github.com/rubygems/rubygems/commit/f5042b879259b1f1ce95a0c5082622c646376693

Published

2022-05-14T00:00:00
(2 years ago)

Modified

2023-05-03T23:49:55
(16 months ago)

Rights

RubySec Security Team

Other Advisories

Source	# ID	URL
Security Advisory	GHSA-mc6j-h948-v2p6	https://github.com/advisories/GHSA-mc6j-h948-v2p6
		https://access.redhat.com/errata/RHSA-2018:3729
		https://access.redhat.com/errata/RHSA-2018:3730
		https://access.redhat.com/errata/RHSA-2018:3731
		https://access.redhat.com/errata/RHSA-2019:2028
		https://access.redhat.com/errata/RHSA-2020:0542
		https://access.redhat.com/errata/RHSA-2020:0591
		https://access.redhat.com/errata/RHSA-2020:0663
		https://lists.debian.org/debian-lts-announce/2018/04/msg00000.html
		https://lists.debian.org/debian-lts-announce/2018/04/msg00001.html
		https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html
		https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
		https://lists.debian.org/debian-lts-announce/2019/05/msg00028.html
		https://usn.ubuntu.com/3621-1/
		https://www.debian.org/security/2018/dsa-4219
		https://www.debian.org/security/2018/dsa-4259
		http://blog.rubygems.org/2018/02/15/2.7.6-released.html
		http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
		https://github.com/jruby/jruby/commit/0b06b48ab4432237ce5fc1bef47f2c6bcf7843f7

Type	Package URL	Name / Product	Version
Fixed	pkg:gem/rubygems-update	rubygems-update	>= 2.7.6
Affected	pkg:gem/rubygems-update	rubygems-update	< 2.7.6
Unaffected	pkg:gem/rubygems-update	rubygems-update	< 2.2.0
Affected	pkg:gem/rubygems-update	rubygems-update	= 2.2.0

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date