gsd-2015-4020
Vulnerability from gsd
Modified
2015-06-08 00:00
Details
RubyGems contains a flaw in the api_endpoint() function in remote_fetcher.rb
that is triggered when handling hostnames in SRV records. With a specially
crafted response, a context-dependent attacker may conduct DNS hijacking
attacks. This vulnerability is due to an incomplete fix for CVE-2015-3900,
which allowed redirection to an arbitrary gem server in any security domain.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2015-4020",
"description": "RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a \"DNS hijack attack.\" NOTE: this vulnerability exists because to an incomplete fix for CVE-2015-3900.",
"id": "GSD-2015-4020",
"references": [
"https://www.suse.com/security/cve/CVE-2015-4020.html",
"https://alas.aws.amazon.com/cve/html/CVE-2015-4020.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "rubygems-update",
"purl": "pkg:gem/rubygems-update"
}
}
],
"aliases": [
"CVE-2015-4020"
],
"details": "RubyGems contains a flaw in the api_endpoint() function in remote_fetcher.rb\nthat is triggered when handling hostnames in SRV records. With a specially\ncrafted response, a context-dependent attacker may conduct DNS hijacking\nattacks. This vulnerability is due to an incomplete fix for CVE-2015-3900,\nwhich allowed redirection to an arbitrary gem server in any security domain.\n",
"id": "GSD-2015-4020",
"modified": "2015-06-08T00:00:00.000Z",
"published": "2015-06-08T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 5.0,
"type": "CVSS_V2"
}
],
"summary": "RubyGems remote_fetcher.rb api_endpoint() Function Missing SRV Record\nHostname Validation Request Hijacking\n"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-4020",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a \"DNS hijack attack.\" NOTE: this vulnerability exists because to an incomplete fix for CVE-2015-3900."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://blog.rubygems.org/2015/06/08/2.2.5-released.html",
"refsource": "CONFIRM",
"url": "http://blog.rubygems.org/2015/06/08/2.2.5-released.html"
},
{
"name": "https://www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900/",
"refsource": "MISC",
"url": "https://www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900/"
},
{
"name": "75431",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/75431"
},
{
"name": "https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478",
"refsource": "MISC",
"url": "https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478"
},
{
"name": "http://blog.rubygems.org/2015/06/08/2.4.8-released.html",
"refsource": "CONFIRM",
"url": "http://blog.rubygems.org/2015/06/08/2.4.8-released.html"
},
{
"name": "https://github.com/rubygems/rubygems/commit/5c7bfb5",
"refsource": "CONFIRM",
"url": "https://github.com/rubygems/rubygems/commit/5c7bfb5"
},
{
"name": "https://puppet.com/security/cve/CVE-2015-3900",
"refsource": "CONFIRM",
"url": "https://puppet.com/security/cve/CVE-2015-3900"
},
{
"name": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2015-4020",
"cvss_v2": 5.0,
"date": "2015-06-08",
"description": "RubyGems contains a flaw in the api_endpoint() function in remote_fetcher.rb\nthat is triggered when handling hostnames in SRV records. With a specially\ncrafted response, a context-dependent attacker may conduct DNS hijacking\nattacks. This vulnerability is due to an incomplete fix for CVE-2015-3900,\nwhich allowed redirection to an arbitrary gem server in any security domain.\n",
"gem": "rubygems-update",
"library": "rubygems",
"patched_versions": [
"~\u003e 2.0.17",
"~\u003e 2.2.5",
"\u003e= 2.4.8"
],
"title": "RubyGems remote_fetcher.rb api_endpoint() Function Missing SRV Record\nHostname Validation Request Hijacking\n",
"url": "https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c=2.4.7",
"affected_versions": "All versions up to 2.4.7",
"cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-20",
"CWE-937"
],
"date": "2017-12-09",
"description": "RubyGems does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a \"DNS hijack attack.\" NOTE: this vulnerability exists because to an incomplete fix for CVE-2015-3900.",
"fixed_versions": [
"2.4.8"
],
"identifier": "CVE-2015-4020",
"identifiers": [
"CVE-2015-4020"
],
"not_impacted": "All versions after 2.4.7",
"package_slug": "gem/rubygems-update",
"pubdate": "2015-08-25",
"solution": "Upgrade to version 2.4.8 or above.",
"title": "Improper Input Validation",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2015-4020",
"http://blog.rubygems.org/2015/06/08/2.2.5-released.html",
"http://blog.rubygems.org/2015/06/08/2.4.8-released.html",
"https://github.com/rubygems/rubygems/commit/5c7bfb5",
"https://www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900/",
"https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478",
"http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html",
"http://www.securityfocus.com/bid/75431",
"https://puppet.com/security/cve/CVE-2015-3900"
],
"uuid": "025b92ba-2339-41eb-a794-c8f4d01409f1"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:rubygems:rubygems:2.0.0:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:rubygems:2.0.0:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:rubygems:2.0.15:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:rubygems:2.0.16:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:rubygems:2.0.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:rubygems:2.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:rubygems:2.4.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:rubygems:2.4.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:rubygems:2.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:rubygems:2.0.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:rubygems:2.0.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:rubygems:2.0.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:rubygems:2.2.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:rubygems:2.2.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:rubygems:2.4.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:rubygems:2.4.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:rubygems:2.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:rubygems:2.0.0:preview2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:rubygems:2.0.11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:rubygems:2.0.12:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:rubygems:2.0.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:rubygems:2.0.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:rubygems:2.2.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:rubygems:2.2.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:rubygems:2.4.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:rubygems:2.4.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:rubygems:2.0.0:preview2.1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:rubygems:2.0.0:preview2.2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:rubygems:2.0.13:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:rubygems:2.0.14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:rubygems:2.0.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:rubygems:2.0.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:rubygems:2.0.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:rubygems:2.4.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:rubygems:2.4.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-4020"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a \"DNS hijack attack.\" NOTE: this vulnerability exists because to an incomplete fix for CVE-2015-3900."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://blog.rubygems.org/2015/06/08/2.2.5-released.html",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "http://blog.rubygems.org/2015/06/08/2.2.5-released.html"
},
{
"name": "http://blog.rubygems.org/2015/06/08/2.4.8-released.html",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "http://blog.rubygems.org/2015/06/08/2.4.8-released.html"
},
{
"name": "https://github.com/rubygems/rubygems/commit/5c7bfb5",
"refsource": "CONFIRM",
"tags": [],
"url": "https://github.com/rubygems/rubygems/commit/5c7bfb5"
},
{
"name": "https://www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900/",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900/"
},
{
"name": "https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478"
},
{
"name": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html"
},
{
"name": "75431",
"refsource": "BID",
"tags": [],
"url": "http://www.securityfocus.com/bid/75431"
},
{
"name": "https://puppet.com/security/cve/CVE-2015-3900",
"refsource": "CONFIRM",
"tags": [],
"url": "https://puppet.com/security/cve/CVE-2015-3900"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2017-12-09T02:29Z",
"publishedDate": "2015-08-25T17:59Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.