What is CVE-2022-36073?

CVE-2022-36073 is a vulnerability in RubyGems.org that allowed an attacker to change their account's email to an unowned email address and potentially gain unauthorized access.

What is the severity of CVE-2022-36073?

CVE-2022-36073 has a severity rating of 8.8 (High).

How does CVE-2022-36073 impact RubyGems.org?

CVE-2022-36073 allows an attacker to change their account's email, potentially giving them unauthorized access to an account and its associated API keys.

How can I mitigate the risk of CVE-2022-36073?

To mitigate the risk of CVE-2022-36073, it is recommended to apply the patch provided by RubyGems.org and verify that your account's email has not been changed without your knowledge.

Where can I find more information about CVE-2022-36073?

For more information about CVE-2022-36073, you can refer to the official GitHub commits and security advisories available at the provided references.

Vulnerability/
CVE-2022-36073

high

8.8

CWE

287

7/9/2022

3/8/2024

CVE-2022-36073: RubyGems allows creation of users with arbitrary unverified emails

First published: Wed Sep 07 2022(Updated: )

RubyGems.org is the Ruby community gem host. A bug in password & email change confirmation code allowed an attacker to change their RubyGems.org account's email to an unowned email address. Having access to an account whose email has been changed could enable an attacker to save API keys for that account, and when a legitimate user attempts to create an account with their email (and has to reset password to gain access) and is granted access to other gems, the attacker would then be able to publish and yank versions of those gems. Commit number 90c9e6aac2d91518b479c51d48275c57de492d4d contains a patch for this issue.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Rubygems Rubygems	<2022-08-31

Remedy

https://github.com/rubygems/rubygems.org/commit/90c9e6aac2d91518b479c51d48275c57de492d4d

Remedy

https://github.com/rubygems/rubygems.org/security/advisories/GHSA-8qpf-wf2p-25vg

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2022-36073?
CVE-2022-36073 is a vulnerability in RubyGems.org that allowed an attacker to change their account's email to an unowned email address and potentially gain unauthorized access.
What is the severity of CVE-2022-36073?
CVE-2022-36073 has a severity rating of 8.8 (High).
How does CVE-2022-36073 impact RubyGems.org?
CVE-2022-36073 allows an attacker to change their account's email, potentially giving them unauthorized access to an account and its associated API keys.
How can I mitigate the risk of CVE-2022-36073?
To mitigate the risk of CVE-2022-36073, it is recommended to apply the patch provided by RubyGems.org and verify that your account's email has not been changed without your knowledge.
Where can I find more information about CVE-2022-36073?
For more information about CVE-2022-36073, you can refer to the official GitHub commits and security advisories available at the provided references.

collector/nvd-index
agent/references
agent/type
agent/remedy
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/weakness
agent/severity
agent/author
agent/last-modified-date
agent/title
agent/event
agent/first-publish-date
agent/description
agent/tags
vendor/rubygems
canonical/rubygems rubygems

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.