This was a simple oversight and there is no evidence it’s been exploited. While authentication and most rights were indeed checked, the check that the gem you were accessing was indeed the one you’re permitted access to was missed, this is fixed. RubyGems also now sends an email to the gem owner when a gem is yanked or published. Ref https://github.com/rubygems/rubygems.org/security/advisories/GHSA-hccv-rwq6-vh79
