Description
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in a mis-signed gem could be installed, as the tarball would contain multiple gem signatures.. This vulnerability appears to have been fixed in 2.7.6.
Remediation
References
Related Vulnerabilities
Apache HTTP Server Improper Authentication Vulnerability (CVE-2017-3167)
Jenkins Permissions, Privileges, and Access Controls Vulnerability (CVE-2016-3725)
WordPress Plugin blogVault Real-time Backup PHP Object Injection (1.44)
WordPress Plugin Software License Manager Cross-Site Scripting (4.4.9)
Moodle Credentials Management Errors Vulnerability (CVE-2014-7845)