Vulnerability Details CVE-2024-21654
Rubygems.org is the Ruby community's gem hosting service. Rubygems.org users with MFA enabled would normally be protected from account takeover in the case of email account takeover. However, a workaround on the forgotten password form allows an attacker to bypass the MFA requirement and takeover the account. This vulnerability has been patched in commit 0b3272a.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 38.2%
CVSS Severity
CVSS v3 Score 4.8
References
- https://github.com/rubygems/rubygems.org/commit/0b3272ac17b45748ee0d1867c49867c7deb26565
- https://github.com/rubygems/rubygems.org/security/advisories/GHSA-4v23-vj8h-7jp2
- https://github.com/rubygems/rubygems.org/commit/0b3272ac17b45748ee0d1867c49867c7deb26565
- https://github.com/rubygems/rubygems.org/security/advisories/GHSA-4v23-vj8h-7jp2
Products affected by CVE-2024-21654
-
cpe:2.3:a:rubygems:rubygems.org:-
-
cpe:2.3:a:rubygems:rubygems.org:2023-08-14