Skip to content

Misconfigured Reset Password Permissions

High
KesterTan published GHSA-v46j-h43h-rwrm Oct 25, 2024

Package

bundler Autolab (RubyGems)

Affected versions

==3.0.0

Patched versions

3.0.1

Description

Impact

For email-based accounts, users with insufficient privileges could reset and theoretically access privileged users' accounts by resetting their passwords.

Patches

This is fixed in v3.0.1.

Workarounds

No workarounds.

For more information

If you have any questions or comments about this advisory:

Open an issue in https://github.com/autolab/Autolab/
Email us at autolab-dev@andrew.cmu.edu

Severity

High

CVE ID

CVE-2024-49376

Weaknesses

No CWEs

Credits