// For flags

CVE-2024-21654

rubygems.org MFA Bypass through password reset function could allow account takeover

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

Rubygems.org is the Ruby community's gem hosting service. Rubygems.org users with MFA enabled would normally be protected from account takeover in the case of email account takeover. However, a workaround on the forgotten password form allows an attacker to bypass the MFA requirement and takeover the account. This vulnerability has been patched in commit 0b3272a.

Rubygems.org es el servicio de alojamiento de gemas de la comunidad Ruby. Los usuarios de Rubygems.org con MFA habilitado normalmente estarían protegidos contra la apropiación de cuentas en el caso de la apropiación de cuentas de correo electrónico. Sin embargo, un workaround al formulario de contraseña olvidada permite a un atacante omitir el requisito de MFA y apoderarse de la cuenta. Esta vulnerabilidad ha sido parcheada en el commit 0b3272a.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
None
Automatable
Yes
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2023-12-29 CVE Reserved
  • 2024-01-12 CVE Published
  • 2024-01-23 EPSS Updated
  • 2024-10-24 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-287: Improper Authentication
  • CWE-306: Missing Authentication for Critical Function
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Rubygems
Search vendor "Rubygems"
Rubygems.org
Search vendor "Rubygems" for product "Rubygems.org"
< 2024-01-08
Search vendor "Rubygems" for product "Rubygems.org" and version " < 2024-01-08"
-
Affected