CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionNVD
Rubygems.org is the Ruby community's gem hosting service. Rubygems.org users with MFA enabled would normally be protected from account takeover in the case of email account takeover. However, a workaround on the forgotten password form allows an attacker to bypass the MFA requirement and takeover the account. This vulnerability has been patched in commit 0b3272a.
AnalysisAI
Rubygems.org is the Ruby community's gem hosting service. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.
Technical ContextAI
This vulnerability is classified as Improper Authentication (CWE-287), which allows attackers to bypass authentication mechanisms to gain unauthorized access. Rubygems.org is the Ruby community's gem hosting service. Rubygems.org users with MFA enabled would normally be protected from account takeover in the case of email account takeover. However, a workaround on the forgotten password form allows an attacker to bypass the MFA requirement and takeover the account. This vulnerability has been patched in commit 0b3272a. Affected products include: Rubygems Rubygems.Org.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Implement multi-factor authentication, enforce strong password policies, use proven authentication frameworks.
Share
External POC / Exploit Code
Leaving vuln.today