Vulnerability identifier: #VU11648
Vulnerability risk: Low
Exploitation vector: Network
Exploit availability: No
The vulnerability allows a remote attacker to write arbitrary files on the target system.
The weakness exists in package.rb due to improper verification of cryptographic signature. A remote attacker can install mis-signed gem, as the tarball would contain multiple gem signatures.
Update to version 2.7.6.
Vulnerable software versions
Ruby: 2.2.0 - 2.5.0
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?