{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-35221", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-05-14T15:39:41.783Z", "datePublished": "2024-05-29T20:18:06.763Z", "dateUpdated": "2024-06-06T18:59:30.878Z"}, "containers": {"cna": {"title": "Denial of service when publishing a package on rubygems.org", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/rubygems/rubygems.org/security/advisories/GHSA-4vc5-whwr-7hh2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rubygems/rubygems.org/security/advisories/GHSA-4vc5-whwr-7hh2"}, {"name": "https://en.wikipedia.org/wiki/Billion_laughs_attack", "tags": ["x_refsource_MISC"], "url": "https://en.wikipedia.org/wiki/Billion_laughs_attack"}, {"name": "https://github.com/ruby/ruby/blob/7cf74a2ff28b1b4c26e367d0d67521f7e1fed239/lib/rubygems/safe_yaml.rb#L28", "tags": ["x_refsource_MISC"], "url": "https://github.com/ruby/ruby/blob/7cf74a2ff28b1b4c26e367d0d67521f7e1fed239/lib/rubygems/safe_yaml.rb#L28"}], "affected": [{"vendor": "rubygems", "product": "rubygems.org", "versions": [{"version": "< 2024-04-12", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-29T20:18:06.763Z"}, "descriptions": [{"lang": "en", "value": "Rubygems.org is the Ruby community's gem hosting service. A Gem publisher can cause a Remote DoS when publishing a Gem. This is due to how Ruby reads the Manifest of Gem files when using Gem::Specification.from_yaml. from_yaml makes use of SafeYAML.load which allows YAML aliases inside the YAML-based metadata of a gem. YAML aliases allow for Denial of Service attacks with so-called `YAML-bombs` (comparable to Billion laughs attacks). This was patched. There is is no action required by users. This issue is also tracked as GHSL-2024-001 and was discovered by the GitHub security lab."}], "source": {"advisory": "GHSA-4vc5-whwr-7hh2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-06T18:59:20.588645Z", "id": "CVE-2024-35221", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-06T18:59:30.878Z"}}]}}

{"descriptions": [{"lang": "en", "value": "Rubygems.org is the Ruby community's gem hosting service. A Gem publisher can cause a Remote DoS when publishing a Gem. This is due to how Ruby reads the Manifest of Gem files when using Gem::Specification.from_yaml. from_yaml makes use of SafeYAML.load which allows YAML aliases inside the YAML-based metadata of a gem. YAML aliases allow for Denial of Service attacks with so-called `YAML-bombs` (comparable to Billion laughs attacks). This was patched. There is is no action required by users. This issue is also tracked as GHSL-2024-001 and was discovered by the GitHub security lab."}, {"lang": "es", "value": "Rubygems.org es el servicio de alojamiento de gemas de la comunidad Ruby. Un editor de gemas puede provocar un DoS remoto al publicar una gema. Esto se debe a c\u00f3mo Ruby lee los archivos Manifiesto de Gem cuando usa Gem::Specification.from_yaml. from_yaml utiliza SafeYAML.load, que permite alias YAML dentro de los metadatos basados en YAML de una gema. Los alias YAML permiten ataques de denegaci\u00f3n de servicio con las llamadas \"bombas YAML\" (comparables a los ataques de mil millones de risas). Esto fue parcheado. No se requiere ninguna acci\u00f3n por parte de los usuarios. Este problema tambi\u00e9n se rastrea como GHSL-2024-001 y fue descubierto por el laboratorio de seguridad de GitHub."}], "id": "CVE-2024-35221", "lastModified": "2024-05-30T13:15:41.297", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-05-29T21:15:49.017", "references": [{"source": "security-advisories@github.com", "url": "https://en.wikipedia.org/wiki/Billion_laughs_attack"}, {"source": "security-advisories@github.com", "url": "https://github.com/ruby/ruby/blob/7cf74a2ff28b1b4c26e367d0d67521f7e1fed239/lib/rubygems/safe_yaml.rb#L28"}, {"source": "security-advisories@github.com", "url": "https://github.com/rubygems/rubygems.org/security/advisories/GHSA-4vc5-whwr-7hh2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}