Description
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in a mis-signed gem could be installed, as the tarball would contain multiple gem signatures.. This vulnerability appears to have been fixed in 2.7.6.
Remediation
References
Related Vulnerabilities
Joomla! Core 1.5.x Variable Injection (1.5.0 - 1.5.6)
PHP Use of Externally-Controlled Format String Vulnerability (CVE-2010-2950)
WordPress Plugin Catch Infinite Scroll Security Bypass (1.8.1)
Jboss EAP Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-5478)
WordPress Plugin RSS Post Importer Unspecified Vulnerability (2.5.0)