Skip to content

OTP brute force possible on API endpoints that create API Keys

Moderate
segiddins published GHSA-9m38-prpc-m7w3 Sep 7, 2022

Package

bundler rubygems.org (RubyGems)

Affected versions

n/a

Patched versions

n/a

Description

Impact

Attackers could bypass rate limits on MFA-protected endpoints by making requests against api/v1/api_key/ routes.

Patches

Patched in e870835

Severity

Moderate

CVE ID

No known CVE

Weaknesses

No CWEs