2258494 – (CVE-2024-21654) CVE-2024-21654 rubygems: MFA bypass through password reset function could allow account takeover

Bug 2258494 (CVE-2024-21654) - CVE-2024-21654 rubygems: MFA bypass through password reset function could allow account takeover

Summary: CVE-2024-21654 rubygems: MFA bypass through password reset function could all...

Keywords:
Status:	NEW
Alias:	CVE-2024-21654
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2258495
Blocks:
TreeView+	depends on / blocked

Reported:	2024-01-15 17:22 UTC by Mauro Matteo Cascella
Modified:	2024-03-12 11:04 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Mauro Matteo Cascella 2024-01-15 17:22:32 UTC

Rubygems.org is the Ruby community's gem hosting service. Rubygems.org users with MFA enabled would normally be protected from account takeover in the case of email account takeover. However, a workaround on the forgotten password form allows an attacker to bypass the MFA requirement and takeover the account.

Security Advisory:
https://github.com/rubygems/rubygems.org/security/advisories/GHSA-4v23-vj8h-7jp2

Upstream fix:
https://github.com/rubygems/rubygems.org/commit/0b3272ac17b45748ee0d1867c49867c7deb26565

Comment 1 Mauro Matteo Cascella 2024-01-15 17:23:00 UTC

Created rubygems tracking bugs for this issue:

Affects: fedora-all [bug 2258495]

Comment 2 Vít Ondruch 2024-01-16 09:21:31 UTC

Unless I am mistaken, this is flaw in the http://rubygems.org service, not in the package.

Note You need to log in before you can comment on or make changes to this bug.