CVE-2023-40165

CVSS 3.1 Score 7.5 of 10 (high)

Details

Published Aug 17, 2023
Updated: Aug 24, 2023
CWE ID 20

Summary

CVE-2023-40165 is a vulnerability affecting rubygems.org, the primary Ruby library hosting service. Malicious actors could exploit insufficient input validation to replace any uploaded gem version with a matching pattern, resulting in the permanent replacement of legitimate gems and an immediate CDN purge. Although no unexpected gems were found after a check, users are advised to ensure downloaded .gems have matching checksums with those recorded in the RubyGems.org database. The vulnerability has been patched with improved input validation and no user action is required. Users can use the 'bundler-integrity' tool to check their local gems' checksums for added assurance.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share