Skip to content

Brute force OTP on gem push request with IP rotation

Moderate
sonalkr132 published GHSA-c55g-q6f4-5qxr Jul 29, 2022

Package

bundler rubygems.org (RubyGems)

Affected versions

n/a

Patched versions

n/a

Description

Impact

We have a rate limit of 300 requests/5 minutes and 600 requests/25 hours per IP address on gem push request (POST /api/v1/gems). It was possible to brute force the OTP code using this endpoint if the attacker uses an IP rotator.

Impact

The brute force of OTP code could be escalated to account takeover if the attacker already has access to the user's password or if they could hijack the user session with some alternate method.

Patches

We have added a rate limit of 300 req / 5 min and 900 req / 25 hr on each user account. This limit can't be bypassed by changing the IP address of the client. Please check #3121 for more details.

Severity

Moderate

CVE ID

No known CVE

Weaknesses

No CWEs