Impact
Rubygems.org users with MFA enabled would normally be protected from account takeover in the case of email account takeover. However, a workaround on the forgotten password form allows an attacker to bypass the MFA requirement and takeover the account.
The attack requires email account takeover or the compromise of a forgotten password token to take advantage of the vulnerability.
Patches
0b3272a
Workarounds
No.
References
Undisclosed submission to RubyGems HackerOne program
Impact
Rubygems.org users with MFA enabled would normally be protected from account takeover in the case of email account takeover. However, a workaround on the forgotten password form allows an attacker to bypass the MFA requirement and takeover the account.
The attack requires email account takeover or the compromise of a forgotten password token to take advantage of the vulnerability.
Patches
0b3272a
Workarounds
No.
References
Undisclosed submission to RubyGems HackerOne program