Security

SECURITY.md

Security Policy

We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly.

For any security bug or issue with the RubyGems client or RubyGems.org service, please email [email protected] with details about the problem or submit a report using HackerOne.

For additional information about RubyGems security, please see https://rubygems.org/pages/security.

Remote DoS when publishing a package
GHSA-4vc5-whwr-7hh2 published May 29, 2024 by segiddins

Moderate
MFA Bypass through password reset function could allow account takeover of a compromised email
GHSA-4v23-vj8h-7jp2 published Jan 8, 2024 by martinemde

Moderate
Unauthorized gem replacement for full names ending in numbers
GHSA-rxcq-2m4f-94wm published Aug 17, 2023 by segiddins

High
OTP brute force possible on API endpoints that create API Keys
GHSA-9m38-prpc-m7w3 published Sep 7, 2022 by segiddins

Moderate
Ability to create users with arbitrary unverified emails
GHSA-8qpf-wf2p-25vg published Sep 1, 2022 by segiddins

High
Brute force OTP on gem push request with IP rotation
GHSA-c55g-q6f4-5qxr published Jul 29, 2022 by sonalkr132

Moderate
Bypass rate limit on profile edit page using IP rotation
GHSA-c439-3pcx-3675 published Jun 26, 2022 by sonalkr132

Low
Bypass session verification for creating new API keys
GHSA-hh2h-f8vr-xc6q published Jun 26, 2022 by sonalkr132

Moderate
Brute force OTP with IP rotation
GHSA-8m6q-8hm4-fvh2 published Jun 11, 2022 by indirect

High
DoS using cache poistioning
GHSA-39xx-gpq2-q2xv published Jun 11, 2022 by indirect

Moderate

Learn more about advisories related to rubygems/rubygems.org in the GitHub Advisory Database