rubygems.org MFA Bypass through password reset function could allow account takeover

Rubygems.org is the Ruby community's gem hosting service. Rubygems.org users with MFA enabled would normally be protected from account takeover in the case of email account takeover. However, a workaround on the forgotten password form allows an attacker to bypass the MFA requirement and takeover the account. This vulnerability has been patched in commit 0b3272a.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

认证机制不恰当

RubyGems 授权问题漏洞

RubyGems是RubyGems组织的一款Ruby程序包管理器。该产品主要用于发布和管理Ruby程序包。 RubyGems存在授权问题漏洞，该漏洞源于允许攻击者绕过MFA要求并接管帐户。

N/A

N/A