cbcvebase.
CVE-2015-3900
published 2015-06-24

CVE-2015-3900: RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows…

PriorityP336medium5CVSS 2.0
AVNACLAuNCNIPAN
EPSS
8.93%
94.6th percentile
RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."

Affected

52 ranges· showing 25
VendorProductVersion rangeFixed in
debianjruby< jruby 1.7.20.1-2 (bookworm)jruby 1.7.20.1-2 (bookworm)
debianjruby
debianrubygems< jruby 1.7.20.1-2 (bookworm)jruby 1.7.20.1-2 (bookworm)
debianrubygems
jrubyjruby>= 0 < 1.7.20.1-21.7.20.1-2
jrubyjruby>= 0 < 1.7.20.1-21.7.20.1-2
jrubyjruby>= 0 < 1.7.20.1-21.7.20.1-2
oraclesolaris
redhatenterprise_linux
redhatenterprise_linux
ruby-langruby
ruby-langruby
ruby-langruby
ruby-langruby
ruby-langruby
ruby-langruby
ruby-langruby
ruby-langruby
ruby-langruby
ruby-langruby
ruby-langruby
ruby-langruby
rubygemsrubygems
rubygemsrubygems
rubygemsrubygems

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
ghsa5.0MEDIUM
osv5.0MEDIUM
vendor_debian5.0LOW
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.