Summary
A bug in password & email change confirmation code allowed an attacker to change their RubyGems.org account's email to an unowned email address.
Impact
Having access to an account whose email has been changed could enable an attacker to save API keys for that account, and when a legitimate user attempts to create an account with their email (and has to reset password to gain access) and is granted access to other gems, the attacker would then be able to publish & yank versions of those gems.
Patches
The bug was fixed via 90c9e6a
laursisask Analyst
Summary
A bug in password & email change confirmation code allowed an attacker to change their RubyGems.org account's email to an unowned email address.
Impact
Having access to an account whose email has been changed could enable an attacker to save API keys for that account, and when a legitimate user attempts to create an account with their email (and has to reset password to gain access) and is granted access to other gems, the attacker would then be able to publish & yank versions of those gems.
Patches
The bug was fixed via 90c9e6a