1. CVE-Search
  2. CVE-2015-3900
ID CVE-2015-3900
Summary RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."
References
Vulnerable Configurations
  • cpe:2.3:a:ruby-lang:ruby:1.9:*:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.9:*:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.9.1:*:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.9.1:*:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.9.2:*:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.9.3:*:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.9.3:*:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:2.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:2.1:-:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:2.1:-:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:2.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:2.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:2.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:2.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:2.1.3:*:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:2.1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:2.1.4:*:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:2.1.4:*:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:2.1.5:*:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:2.1.5:*:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:2.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:2.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.0.6:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.0.7:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.0.8:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.0.9:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.0.9:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.0.10:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.0.10:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.0.11:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.0.11:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.0.12:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.0.12:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.0.13:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.0.13:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.0.14:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.0.14:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.0.15:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.0.15:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.4.3:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.4.4:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.4.4:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.4.5:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.4.5:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.4.6:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.4.6:*:*:*:*:*:*:*
  • cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*
    cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 22-04-2019 - 17:48)
Impact:
Exploitability:
CWE CWE-254
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:P/A:N
redhat via4
advisories
rhsa
id RHSA-2015:1657
rpms
  • rh-ruby22-ruby-0:2.2.2-12.el6
  • rh-ruby22-ruby-0:2.2.2-12.el7
  • rh-ruby22-ruby-debuginfo-0:2.2.2-12.el6
  • rh-ruby22-ruby-debuginfo-0:2.2.2-12.el7
  • rh-ruby22-ruby-devel-0:2.2.2-12.el6
  • rh-ruby22-ruby-devel-0:2.2.2-12.el7
  • rh-ruby22-ruby-doc-0:2.2.2-12.el6
  • rh-ruby22-ruby-doc-0:2.2.2-12.el7
  • rh-ruby22-ruby-irb-0:2.2.2-12.el6
  • rh-ruby22-ruby-irb-0:2.2.2-12.el7
  • rh-ruby22-ruby-libs-0:2.2.2-12.el6
  • rh-ruby22-ruby-libs-0:2.2.2-12.el7
  • rh-ruby22-ruby-tcltk-0:2.2.2-12.el6
  • rh-ruby22-ruby-tcltk-0:2.2.2-12.el7
  • rh-ruby22-rubygem-bigdecimal-0:1.2.6-12.el6
  • rh-ruby22-rubygem-bigdecimal-0:1.2.6-12.el7
  • rh-ruby22-rubygem-io-console-0:0.4.3-12.el6
  • rh-ruby22-rubygem-io-console-0:0.4.3-12.el7
  • rh-ruby22-rubygem-json-0:1.8.1-12.el6
  • rh-ruby22-rubygem-json-0:1.8.1-12.el7
  • rh-ruby22-rubygem-minitest-0:5.4.3-12.el6
  • rh-ruby22-rubygem-minitest-0:5.4.3-12.el7
  • rh-ruby22-rubygem-power_assert-0:0.2.2-12.el6
  • rh-ruby22-rubygem-power_assert-0:0.2.2-12.el7
  • rh-ruby22-rubygem-psych-0:2.0.8-12.el6
  • rh-ruby22-rubygem-psych-0:2.0.8-12.el7
  • rh-ruby22-rubygem-rake-0:10.4.2-12.el6
  • rh-ruby22-rubygem-rake-0:10.4.2-12.el7
  • rh-ruby22-rubygem-rdoc-0:4.2.0-12.el6
  • rh-ruby22-rubygem-rdoc-0:4.2.0-12.el7
  • rh-ruby22-rubygem-test-unit-0:3.0.8-12.el6
  • rh-ruby22-rubygem-test-unit-0:3.0.8-12.el7
  • rh-ruby22-rubygems-0:2.4.5-12.el6
  • rh-ruby22-rubygems-0:2.4.5-12.el7
  • rh-ruby22-rubygems-devel-0:2.4.5-12.el6
  • rh-ruby22-rubygems-devel-0:2.4.5-12.el7
refmap via4
bid 75482
confirm
fedora
  • FEDORA-2015-12501
  • FEDORA-2015-12574
  • FEDORA-2015-13157
misc
mlist [oss-security] 20150626 rubygems <2.4.8 vulnerable to DNS request hijacking (CVE-2015-3900 and CVE-2015-4020)
Last major update 22-04-2019 - 17:48
Published 24-06-2015 - 14:59
Last modified 22-04-2019 - 17:48
Back to Top