CVE-2024-21654

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-21654

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-21654.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-21654

Aliases

GHSA-4v23-vj8h-7jp2

Published

2024-01-12T20:59:43.094Z

Modified

2025-11-30T11:25:20.025675Z

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

rubygems.org MFA Bypass through password reset function could allow account takeover

Details

Rubygems.org is the Ruby community's gem hosting service. Rubygems.org users with MFA enabled would normally be protected from account takeover in the case of email account takeover. However, a workaround on the forgotten password form allows an attacker to bypass the MFA requirement and takeover the account. This vulnerability has been patched in commit 0b3272a.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/21xxx/CVE-2024-21654.json",
    "cwe_ids": [
        "CWE-287"
    ],
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/rubygems/rubygems.org

Affected ranges

Type: GIT
Repo: https://github.com/rubygems/rubygems.org
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

0b3272ac17b45748ee0d1867c49867c7deb26565

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-21654.json"