Description
RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a "DNS hijack attack." NOTE: this vulnerability exists because to an incomplete fix for CVE-2015-3900.
References (8)
Core 8
Core References
Vendor Advisory x_refsource_confirm
http://blog.rubygems.org/2015/06/08/2.2.5-released.html
Third Party Advisory x_refsource_misc
https://www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900/
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/75431
Third Party Advisory x_refsource_misc
https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478
Vendor Advisory x_refsource_confirm
http://blog.rubygems.org/2015/06/08/2.4.8-released.html
Various Sources x_refsource_confirm
https://puppet.com/security/cve/CVE-2015-3900
Third Party Advisory x_refsource_confirm
http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
Scores
EPSS
0.0052
EPSS Percentile
67.1%
Details
CWE
CWE-20
Status
published
Products (32)
oracle/solaris
11.3
rubygems/rubygems
2.0.0 (6 CPE variants)
rubygems/rubygems
2.0.1
rubygems/rubygems
2.0.2
rubygems/rubygems
2.0.3
rubygems/rubygems
2.0.4
rubygems/rubygems
2.0.5
rubygems/rubygems
2.0.6
rubygems/rubygems
2.0.7
rubygems/rubygems
2.0.8
... and 22 more
Published
Aug 25, 2015
Tracked Since
Feb 18, 2026