CVE-2024-21654

2024-01-1221:15:11

CWE-287

[email protected]

web.nvd.nist.gov

rubygems.org

mfa bypass

vulnerability

commit 0b3272a

ruby community

gem hosting service

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.4 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

35.6%

JSON

Rubygems.org is the Ruby community’s gem hosting service. Rubygems.org users with MFA enabled would normally be protected from account takeover in the case of email account takeover. However, a workaround on the forgotten password form allows an attacker to bypass the MFA requirement and takeover the account. This vulnerability has been patched in commit 0b3272a.

Affected configurations

Vulners

NVD

Node

rubygemsrubygems.orgRange<0b3272a

VendorProductVersionCPE
rubygemsrubygems\.org*cpe:2.3:a:rubygems:rubygems\.org:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
rubygems	rubygems\.org	*	cpe:2.3:a:rubygems:rubygems\.org::::::::

CNA Affected

[
  {
    "vendor": "rubygems",
    "product": "rubygems.org",
    "versions": [
      {
        "version": "< commit 0b3272a",
        "status": "affected"
      }
    ]
  }
]