CVE-2024-35221 — Vulnetix

Try Vulnetix Request Demo

CVE-2024-35221 PUBLISHED CVSS 4.300000190734863 MEDIUM

Rubygems.org is the Ruby community's gem hosting service. A Gem publisher can cause a Remote DoS when publishing a Gem. This is due to how Ruby reads the Manifest of Gem files when using Gem::Specification.from_yaml. from_yaml makes use of SafeYAML.load which allows YAML aliases inside the YAML-based metadata of a gem. YAML aliases allow for Denial of Service attacks with so-called `YAML-bombs` (comparable to Billion laughs attacks). This was patched. There is is no action required by users. This issue is also tracked as GHSL-2024-001 and was discovered by the GitHub security lab.

EPSS 0.05% · 15.7th percentile

Risk Scores

CVSS v3.1

4.300000190734863

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

EPSS Score

0.05%

15.7th percentile

Affected Products

Vendor	Product	Versions
rubygems	rubygems.org	< 2024-04-12

Timeline

May 29, 2024 CVE Published
May 30, 2024 EPSS Score
Jun 22, 2024 EPSS Score
Jul 15, 2024 EPSS Score
Aug 2, 2024 CVE Updated
Aug 7, 2024 EPSS Score
Aug 29, 2024 EPSS Score
Sep 21, 2024 EPSS Score
Oct 4, 2024 Coalition ESS Score
Oct 14, 2024 EPSS Score
Nov 6, 2024 EPSS Score
Nov 29, 2024 EPSS Score

References

Open in Interactive Console →