CVE-2024-35221: Denial of service when publishing a package on rubygems.org

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2024-35221

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Denial of service when publishing a package on rubygems.org

Source: NVD (National Vulnerability Database)

Vulnerability Description

Rubygems.org is the Ruby community's gem hosting service. A Gem publisher can cause a Remote DoS when publishing a Gem. This is due to how Ruby reads the Manifest of Gem files when using Gem::Specification.from_yaml. from_yaml makes use of SafeYAML.load which allows YAML aliases inside the YAML-based metadata of a gem. YAML aliases allow for Denial of Service attacks with so-called `YAML-bombs` (comparable to Billion laughs attacks). This was patched. There is is no action required by users. This issue is also tracked as GHSL-2024-001 and was discovered by the GitHub security lab.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Source: NVD (National Vulnerability Database)

Vulnerability Type

未加控制的资源消耗(资源穷尽)

Source: NVD (National Vulnerability Database)

Vulnerability Title

RubyGems 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

RubyGems是RubyGems组织的一款Ruby程序包管理器。该产品主要用于发布和管理Ruby程序包。 RubyGems存在安全漏洞，该漏洞源于Ruby 在使用 Gem Specification.from_yaml 时读取 Gem 文件清单，可能会导致远程拒绝服务。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
rubygems	rubygems.org	< 2024-04-12	-

II. Public POCs for CVE-2024-35221

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2024-35221

Please Login to view more intelligence information

https://en.wikipedia.org/wiki/Billion_laughs_attackx_refsource_MISC
https://github.com/rubygems/rubygems.org/security/advisories/GHSA-4vc5-whwr-7hh2x_refsource_CONFIRM
https://github.com/ruby/ruby/blob/7cf74a2ff28b1b4c26e367d0d67521f7e1fed239/lib/rubygems/safe_yaml.rb#L28x_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2024-35221

IV. Related Vulnerabilities

Same product: rubygems.org

Same vendor: rubygems

Same weakness: CWE-400

V. Comments for CVE-2024-35221

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2024-35221

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2024-35221

III. Intelligence Information for CVE-2024-35221

IV. Related Vulnerabilities

V. Comments for CVE-2024-35221

Leave a comment