CVE-2024-21654

Rubygems.org is the Ruby community's gem hosting service. Rubygems.org users with MFA enabled would normally be protected from account takeover in the case of email account takeover. However, a workaround on the forgotten password form allows an attacker to bypass the MFA requirement and takeover the account. This vulnerability has been patched in commit 0b3272a.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/rubygems/rubygems.org/commit/0b3272ac17b45748ee0d1867c49867c7deb26565	Patch
https://github.com/rubygems/rubygems.org/security/advisories/GHSA-4v23-vj8h-7jp2	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:rubygems:rubygems.org:*:*:*:*:*:*:*:*

History

24 Oct 2024, 16:35

Type	Values Removed	Values Added
CWE		CWE-306

22 Jan 2024, 19:45

Type	Values Removed	Values Added
References	~~() https://github.com/rubygems/rubygems.org/commit/0b3272ac17b45748ee0d1867c49867c7deb26565 -~~	() https://github.com/rubygems/rubygems.org/commit/0b3272ac17b45748ee0d1867c49867c7deb26565 - Patch
References	~~() https://github.com/rubygems/rubygems.org/security/advisories/GHSA-4v23-vj8h-7jp2 -~~	() https://github.com/rubygems/rubygems.org/security/advisories/GHSA-4v23-vj8h-7jp2 - Patch, Vendor Advisory
First Time		Rubygems Rubygems rubygems.org
CPE		cpe:2.3:a:rubygems:rubygems.org::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8

12 Jan 2024, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-01-12 21:15

Updated : 2024-10-24 16:35

NVD link : CVE-2024-21654

Mitre link : CVE-2024-21654

CVE.ORG link : CVE-2024-21654

JSON object : View

Products Affected

rubygems

rubygems.org

CWE

CWE-287

Improper Authentication

CWE-306

Missing Authentication for Critical Function

{"id": "CVE-2024-21654", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.2}]}, "published": "2024-01-12T21:15:11.287", "references": [{"url": "https://github.com/rubygems/rubygems.org/commit/0b3272ac17b45748ee0d1867c49867c7deb26565", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/rubygems/rubygems.org/security/advisories/GHSA-4v23-vj8h-7jp2", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-287"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "Rubygems.org is the Ruby community's gem hosting service. Rubygems.org users with MFA enabled would normally be protected from account takeover in the case of email account takeover. However, a workaround on the forgotten password form allows an attacker to bypass the MFA requirement and takeover the account. This vulnerability has been patched in commit 0b3272a."}, {"lang": "es", "value": "Rubygems.org es el servicio de alojamiento de gemas de la comunidad Ruby. Los usuarios de Rubygems.org con MFA habilitado normalmente estar\u00edan protegidos contra la apropiaci\u00f3n de cuentas en el caso de la apropiaci\u00f3n de cuentas de correo electr\u00f3nico. Sin embargo, un workaround al formulario de contrase\u00f1a olvidada permite a un atacante omitir el requisito de MFA y apoderarse de la cuenta. Esta vulnerabilidad ha sido parcheada en el commit 0b3272a."}], "lastModified": "2024-10-24T16:35:05.720", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:rubygems:rubygems.org:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "556FCBC0-E749-4BA7-AAF7-94AB12A30E1F", "versionEndExcluding": "2024-01-08"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}