脆弱性情報
高度な大規模言語モデル技術を使用していますが、出力には不正確または古い情報が含まれる可能性があります。Shenlongはデータの正確性を確保するよう努めていますが、実際の状況に基づいて検証・判断してください。
脆弱性タイトル
RubyGems allows creation of users with arbitrary unverified emails
脆弱性説明
RubyGems.org is the Ruby community gem host. A bug in password & email change confirmation code allowed an attacker to change their RubyGems.org account's email to an unowned email address. Having access to an account whose email has been changed could enable an attacker to save API keys for that account, and when a legitimate user attempts to create an account with their email (and has to reset password to gain access) and is granted access to other gems, the attacker would then be able to publish and yank versions of those gems. Commit number 90c9e6aac2d91518b479c51d48275c57de492d4d contains a patch for this issue.
CVSS情報
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
脆弱性タイプ
认证机制不恰当
脆弱性タイトル
RubyGems 授权问题漏洞
脆弱性説明
RubyGems是RubyGems组织的一款Ruby程序包管理器。该产品主要用于发布和管理Ruby程序包。 RubyGems 存在安全漏洞,该漏洞源于密码和电子邮件更改确认代码中的错误允许攻击者将其RubyGems.org帐户的电子邮件更改为无主的电子邮件地址,访问电子邮件已更改的帐户可能使攻击者能够保存该帐户的API密钥,并且当合法用户尝试使用其电子邮件创建帐户并被授予访问权限时,攻击者将能够发布和删除这些版本。
CVSS情報
N/A
脆弱性タイプ
N/A