CVE-2024-21654 MEDIUM

CVE-2024-21654: rubygems.org MFA Bypass through password reset function could allow account takeover

Vendor Rubygems
Product rubygems.org
Weakness CWE-287 · Improper authentication
Published January 12, 2024
Last update October 24, 2024

CVSS base score

4.8/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Rubygems.org is the Ruby community's gem hosting service. Rubygems.org users with MFA enabled would normally be protected from account takeover in the case of email account takeover. However, a workaround on the forgotten password form allows an attacker to bypass the MFA requirement and takeover the account. This vulnerability has been patched in commit 0b3272a.

Key dates

02Disclosure timeline

January 12, 2024 CVE published
October 24, 2024 Record updated