CVE-2022-36073

Name of the Vulnerable Software and Affected Versions RubyGems.org (affected versions not specified)

Description A bug in the password and email change confirmation code allowed an attacker to change their RubyGems.org account's email to an unowned email address. This could enable the attacker to save API keys for that account. When a legitimate user attempts to create an account with their email and has to reset the password to gain access, the attacker could then be able to publish and yank versions of those gems.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.