Fedora Account System
Red Hat Associate
Red Hat Customer
Rubygems.org is the Ruby community's gem hosting service. Rubygems.org users with MFA enabled would normally be protected from account takeover in the case of email account takeover. However, a workaround on the forgotten password form allows an attacker to bypass the MFA requirement and takeover the account. Security Advisory: https://github.com/rubygems/rubygems.org/security/advisories/GHSA-4v23-vj8h-7jp2 Upstream fix: https://github.com/rubygems/rubygems.org/commit/0b3272ac17b45748ee0d1867c49867c7deb26565
Created rubygems tracking bugs for this issue: Affects: fedora-all [bug 2258495]
Unless I am mistaken, this is flaw in the http://rubygems.org service, not in the package.