Vulnerability DatabaseCVE-2022-36073

CVE-2022-36073:
RubyGems vulnerability analysis and mitigation

Overview

A security vulnerability (CVE-2022-36073) was discovered in RubyGems.org, the Ruby community's gem hosting service. The vulnerability was disclosed on September 7, 2022, and involved a bug in the password and email change confirmation code that allowed attackers to change their RubyGems.org account's email to an unowned email address (GitHub Advisory).

Technical details

The vulnerability stemmed from a flaw in the email confirmation system where the unconfirmed_email was not properly handled during the confirmation token generation process. The issue was related to authentication (CWE-287) and affected the account management functionality of RubyGems.org (NVD CNA Status).

Impact

The vulnerability's impact was significant as it could allow an attacker with access to a compromised account to save API keys for that account. When a legitimate user attempted to create an account with their email (requiring a password reset to gain access) and was granted access to other gems, the attacker would then be able to publish and yank versions of those gems (GitHub Advisory).

Mitigation and workarounds

The vulnerability was patched through commit 90c9e6aac2d91518b479c51d48275c57de492d4d, which modified the confirmation token generation process to properly handle unconfirmed email addresses (GitHub Commit).

Additional resources

Source: This report was generated using AI

Related RubyGems vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2023-5214	CRITICAL	9.8	Ruby	bolt	No	Yes	Oct 06, 2023
CVE-2023-5363	HIGH	7.5	MySQL	openssl-snapsafe-libs-debuginfo	No	Yes	Oct 25, 2023
CVE-2023-6129	MEDIUM	6.5	MySQL	mysql:8.0::mysql-server	No	Yes	Jan 09, 2024
CVE-2024-0727	MEDIUM	5.5	Python	libopenssl-1_0_0-devel-32bit	No	Yes	Jan 26, 2024
CVE-2023-28756	MEDIUM	5.3	Ruby	ruby:2.5::ruby-libs	No	Yes	Mar 31, 2023