THREATINT

We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Zendesk (Helpdesk and Chat)

Ok

PUBLISHED

CVE-2024-35221

Denial of service when publishing a package on rubygems.org

Reserved:2024-05-14
Published:2024-05-29
Updated:2024-06-06

Description

Rubygems.org is the Ruby community's gem hosting service. A Gem publisher can cause a Remote DoS when publishing a Gem. This is due to how Ruby reads the Manifest of Gem files when using Gem::Specification.from_yaml. from_yaml makes use of SafeYAML.load which allows YAML aliases inside the YAML-based metadata of a gem. YAML aliases allow for Denial of Service attacks with so-called `YAML-bombs` (comparable to Billion laughs attacks). This was patched. There is is no action required by users. This issue is also tracked as GHSL-2024-001 and was discovered by the GitHub security lab.



MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Problem types

CWE-400: Uncontrolled Resource Consumption

Product status

< 2024-04-12
affected

References

https://github.com/rubygems/rubygems.org/security/advisories/GHSA-4vc5-whwr-7hh2

https://en.wikipedia.org/wiki/Billion_laughs_attack

https://github.com/ruby/ruby/blob/7cf74a2ff28b1b4c26e367d0d67521f7e1fed239/lib/rubygems/safe_yaml.rb#L28

cve.org CVE-2024-35221

nvd.nist.gov CVE-2024-35221

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-35221