ID CVE-2015-3900
Summary RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."
References
Vulnerable Configurations
  • cpe:2.3:a:ruby-lang:ruby:1.9:*:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.9:*:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.9.1:*:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.9.1:*:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.9.2:*:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.9.3:*:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.9.3:*:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:2.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:2.1:-:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:2.1:-:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:2.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:2.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:2.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:2.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:2.1.3:*:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:2.1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:2.1.4:*:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:2.1.4:*:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:2.1.5:*:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:2.1.5:*:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:2.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:2.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.0.6:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.0.7:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.0.8:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.0.9:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.0.9:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.0.10:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.0.10:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.0.11:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.0.11:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.0.12:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.0.12:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.0.13:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.0.13:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.0.14:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.0.14:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.0.15:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.0.15:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.4.3:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.4.4:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.4.4:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.4.5:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.4.5:*:*:*:*:*:*:*
  • cpe:2.3:a:rubygems:rubygems:2.4.6:*:*:*:*:*:*:*
    cpe:2.3:a:rubygems:rubygems:2.4.6:*:*:*:*:*:*:*
  • cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*
    cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 22-04-2019 - 17:48)
Impact:
Exploitability:
CWE CWE-254
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:P/A:N
redhat via4
advisories
rhsa
id RHSA-2015:1657
refmap via4
bid 75482
confirm
fedora
  • FEDORA-2015-12501
  • FEDORA-2015-12574
  • FEDORA-2015-13157
misc
mlist [oss-security] 20150626 rubygems <2.4.8 vulnerable to DNS request hijacking (CVE-2015-3900 and CVE-2015-4020)
Last major update 22-04-2019 - 17:48
Published 24-06-2015 - 14:59
Back to Top