Skip to content

Bypass session verification for creating new API keys

Moderate
sonalkr132 published GHSA-hh2h-f8vr-xc6q Jun 26, 2022

Package

bundler rubygems.org (RubyGems)

Affected versions

n/a

Patched versions

n/a

Description

Summary

We prompt users to re-enter the password when they visit the new API keys page. This ensures that an unattended session can't be exploited to create new API keys. It was possible to bypass this step by reusing the _rubygems_session cookie where the verification key was already set.

Impact

An attacker could create new API keys for the user if they also have access to a compromised user session. Note that this exploit does not have any impact on its own, the attacker needs to compromise the user session using an alternate method. The new API key page is only accessible if the user is already logged in.

Patches

Please check cf845fd5 for details for the patch.

Severity

Moderate

CVE ID

No known CVE

Weaknesses

No CWEs