CVE-2024-35221

EPSS 0.05%
Veröffentlicht 29.05.2024 21:15:49
Zuletzt bearbeitet 21.11.2024 09:19:58
Quelle security-advisories@github.com
Teams Watchlist Login
Unerledigt Login

Rubygems.org is the Ruby community's gem hosting service. A Gem publisher can cause a Remote DoS when publishing a Gem. This is due to how Ruby reads the Manifest of Gem files when using Gem::Specification.from_yaml. from_yaml makes use of SafeYAML.load which allows YAML aliases inside the YAML-based metadata of a gem. YAML aliases allow for Denial of Service attacks with so-called `YAML-bombs` (comparable to Billion laughs attacks). This was patched. There is is no action required by users. This issue is also tracked as GHSL-2024-001 and was discovered by the GitHub security lab.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerrubygems

≫

Produkt rubygems.org

Version < 2024-04-12

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.156

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

https://en.wikipedia.org/wiki/Billion_laughs_attack

https://github.com/ruby/ruby/blob/7cf74a2ff28b1b4c26e367d0d67521f7e1fed239/lib/rubygems/safe_yaml.rb#L28

https://github.com/rubygems/rubygems.org/security/advisories/GHSA-4vc5-whwr-7hh2

https://nvd.nist.gov/vuln/detail/CVE-2024-35221

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-35221

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-35221

EUVD