Rubygems.org is the Ruby community's gem hosting service. A Gem publisher can cause a Remote DoS when publishing a Gem. This is due to how Ruby reads the Manifest of Gem files when using Gem::Specification.from_yaml. from_yaml makes use of SafeYAML.load which allows YAML aliases inside the YAML-based metadata of a gem. YAML aliases allow for Denial of Service attacks with so-called `YAML-bombs` (comparable to Billion laughs attacks). This was patched. There is is no action required by users. This issue is also tracked as GHSL-2024-001 and was discovered by the GitHub security lab.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-05-29T20:18:06.763Z
Updated: 2024-08-02T03:07:46.784Z
Reserved: 2024-05-14T15:39:41.783Z
Link: CVE-2024-35221
Vulnrichment
Updated: 2024-06-06T18:59:26.763Z
NVD
Status : Awaiting Analysis
Published: 2024-05-29T21:15:49.017
Modified: 2024-05-30T13:15:41.297
Link: CVE-2024-35221
Redhat
No data.