GHSA-mc6j-h948-v2p6

Source
https://github.com/advisories/GHSA-mc6j-h948-v2p6
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-mc6j-h948-v2p6/GHSA-mc6j-h948-v2p6.json
Aliases
Published
2022-05-14T01:01:12Z
Modified
2024-03-11T05:31:35.277732Z
Summary
RubyGems Improper Verification of Cryptographic Signature vulnerability
Details

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, and Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contain an Improper Verification of Cryptographic Signature vulnerability in package.rb. This can result in a mis-signed gem being installed, as the tarball would contain multiple gem signatures. This vulnerability has been fixed in 2.7.6.

References

Affected packages

RubyGems / rubygems-update

Package

Name
rubygems-update

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.2.0
Fixed
2.7.6

Affected versions

2.*

2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.3.0
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6
2.4.7
2.4.8
2.5.0
2.5.1
2.5.2
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.6.6
2.6.7
2.6.8
2.6.9
2.6.10
2.6.11
2.6.12
2.6.13
2.6.14
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4.pre1
2.7.4
2.7.5

Maven / org.jruby:jruby-stdlib

Package

Name
org.jruby:jruby-stdlib

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0The exact introduced commit is unknown
Fixed
9.1.16.0

Affected versions

1.*

1.6.0
1.6.1
1.6.2
1.6.3
1.6.4
1.6.5
1.6.5.1
1.6.6
1.6.7
1.6.7.1
1.6.7.2
1.6.8
1.7.0.RC1
1.7.0.RC2
1.7.0
1.7.0.preview1
1.7.0.preview2
1.7.1
1.7.2
1.7.3
1.7.4
1.7.5
1.7.6
1.7.7
1.7.8
1.7.9
1.7.10
1.7.11
1.7.12
1.7.13
1.7.14
1.7.15
1.7.16
1.7.16.1
1.7.16.2
1.7.17
1.7.18
1.7.19
1.7.20
1.7.20.1
1.7.21
1.7.22
1.7.23
1.7.24
1.7.25
1.7.26
1.7.27

9.*

9.0.0.0.rc1
9.0.0.0.rc2
9.0.0.0
9.0.0.0.pre1
9.0.0.0.pre2
9.0.1.0
9.0.2.0
9.0.3.0
9.0.4.0
9.0.5.0
9.1.0.0
9.1.1.0
9.1.2.0
9.1.3.0
9.1.4.0
9.1.5.0
9.1.6.0
9.1.7.0
9.1.8.0
9.1.9.0
9.1.10.0
9.1.11.0
9.1.12.0
9.1.13.0
9.1.14.0
9.1.15.0