CVE-2024-35221
CVSS V2 None
CVSS V3 None
Description
Rubygems.org is the Ruby community's gem hosting service. A Gem publisher can cause a Remote DoS when publishing a Gem. This is due to how Ruby reads the Manifest of Gem files when using Gem::Specification.from_yaml. from_yaml makes use of SafeYAML.load which allows YAML aliases inside the YAML-based metadata of a gem. YAML aliases allow for Denial of Service attacks with so-called `YAML-bombs` (comparable to Billion laughs attacks). This was patched. There is is no action required by users. This issue is also tracked as GHSL-2024-001 and was discovered by the GitHub security lab.
Overview
- CVE ID
- CVE-2024-35221
- Assigner
- GitHub_M
- Vulnerability Status
- PUBLISHED
- Published Version
- 2024-05-29T20:18:06.763Z
- Last Modified Date
- 2024-06-06T18:59:30.878Z
Weakness Enumerations
References
| Reference URL | Reference Tags |
|---|---|
| https://github.com/rubygems/rubygems.org/security/advisories/GHSA-4vc5-whwr-7hh2 | x_refsource_CONFIRM |
| https://en.wikipedia.org/wiki/Billion_laughs_attack | x_refsource_MISC |
| https://github.com/ruby/ruby/blob/7cf74a2ff28b1b4c26e367d0d67521f7e1fed239/lib/rubygems/safe_yaml.rb#L28 | x_refsource_MISC |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2024-35221 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35221 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2024-06-26 13:41:46 | Added to TrackCVE |