CVE-2015-3900
published 2015-06-24CVE-2015-3900: RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows…
PriorityP336medium5CVSS 2.0
AVNACLAuNCNIPAN
EPSS
8.93%
94.6th percentile
RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."
Affected
52 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | jruby | < jruby 1.7.20.1-2 (bookworm) | jruby 1.7.20.1-2 (bookworm) |
| debian | jruby | — | — |
| debian | rubygems | < jruby 1.7.20.1-2 (bookworm) | jruby 1.7.20.1-2 (bookworm) |
| debian | rubygems | — | — |
| jruby | jruby | >= 0 < 1.7.20.1-2 | 1.7.20.1-2 |
| jruby | jruby | >= 0 < 1.7.20.1-2 | 1.7.20.1-2 |
| jruby | jruby | >= 0 < 1.7.20.1-2 | 1.7.20.1-2 |
| oracle | solaris | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| rubygems | rubygems | — | — |
| rubygems | rubygems | — | — |
| rubygems | rubygems | — | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
ghsa5.0MEDIUM
osv5.0MEDIUM
vendor_debian5.0LOW
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
RubyGems Improper Input Validation vulnerability
osv·2022-05-17·CVSS 5.0
CVE-2015-4020 [MEDIUM] RubyGems Improper Input Validation vulnerability
RubyGems Improper Input Validation vulnerability
RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.3.x before 2.4.8 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a "DNS hijack attack."
NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3900.
GHSA
RubyGems Improper Input Validation vulnerability
ghsa·2022-05-17·CVSS 5.0
CVE-2015-4020 [MEDIUM] CWE-20 RubyGems Improper Input Validation vulnerability
RubyGems Improper Input Validation vulnerability
RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.3.x before 2.4.8 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a "DNS hijack attack."
NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3900.
GHSA
RubyGems vulnerable to DNS hijack attack
ghsa·2022-05-14
CVE-2015-3900 [HIGH] CWE-350 RubyGems vulnerable to DNS hijack attack
RubyGems vulnerable to DNS hijack attack
RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."
OSV
RubyGems vulnerable to DNS hijack attack
osv·2022-05-14
CVE-2015-3900 [HIGH] RubyGems vulnerable to DNS hijack attack
RubyGems vulnerable to DNS hijack attack
RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."
OSV
CVE-2015-3900: RubyGems 2
osv·2015-06-24·CVSS 5.0
CVE-2015-3900 [MEDIUM] CVE-2015-3900: RubyGems 2
RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."
Red Hat
rubygems: incomplete fix for CVE-2015-3900
vendor_redhat·2015-05-18·CVSS 5.0
CVE-2015-4020 [MEDIUM] CWE-20 rubygems: incomplete fix for CVE-2015-3900
rubygems: incomplete fix for CVE-2015-3900
RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a "DNS hijack attack." NOTE: this vulnerability exists because to an incomplete fix for CVE-2015-3900.
A flaw was found in a way rubygems verified the API endpoint hostname retrieved through a DNS SRV record. A man-in-the-middle attacker could use this flaw to force a client to download content from an untrusted domain.
Statement: This issue did not affect the versions of rubygems as shipped with Red Hat Enterprise Linux 6, Red Hat Ente
Red Hat
rubygems: DNS hijacking vulnerability in api_endpoint()
vendor_redhat·2015-05-14·CVSS 5.0
CVE-2015-3900 [MEDIUM] CWE-20 rubygems: DNS hijacking vulnerability in api_endpoint()
rubygems: DNS hijacking vulnerability in api_endpoint()
RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."
A flaw was found in a way rubygems verified the API endpoint hostname retrieved through a DNS SRV record. A man-in-the-middle attacker could use this flaw to force a client to download content from an untrusted domain.
Statement: This issue did not affect the versions of rubygems as shipped with Red Hat Enterprise Linux 6, Red Hat Enterprise MRG 2.5, Red Hat Satellite 6, Red Hat Openstack 5, Red Hat Openshift Enterprise 2 as they did not include support for get
Debian
CVE-2015-3900: jruby - RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does no...
vendor_debian·2015·CVSS 5.0
CVE-2015-3900 [MEDIUM] CVE-2015-3900: jruby - RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does no...
RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."
Scope: local
bookworm: resolved (fixed in 1.7.20.1-2)
forky: resolved (fixed in 1.7.20.1-2)
sid: resolved (fixed in 1.7.20.1-2)
trixie: resolved (fixed in 1.7.20.1-2)
Debian
CVE-2015-4020: jruby - RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does no...
vendor_debian·2015·CVSS 5.0
CVE-2015-4020 [MEDIUM] CVE-2015-4020: jruby - RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does no...
RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a "DNS hijack attack." NOTE: this vulnerability exists because to an incomplete fix for CVE-2015-3900.
Scope: local
bookworm: resolved
forky: resolved
sid: resolved
trixie: resolved
No detection rules found.
No public exploits indexed.
HackerOne
Request Hijacking Vulnerability in RubyGems 2.6.11 and earlier
hackerone·2017-08-30·CVSS 5.0
[MEDIUM] Request Hijacking Vulnerability in RubyGems 2.6.11 and earlier
Request Hijacking Vulnerability in RubyGems 2.6.11 and earlier
**Description:**
The RubyGems client supports a gem server API discovery functionality,
which is used when pushing or pulling gems to a gem distribution/hosting
server, like RubyGems.org. This functionality is provided via a SRV DNS
request to the users gem source hostname prepended with "_rubygems._tcp.".
The response to this request tells the RubyGems client (aka: the gem
command) where the users gem server API is. In the default RubyGems
scenario, with a gem source of https://rubygems.org, the users SRV DNS
request and reply will look like this:
~ $ dig srv _rubygems._tcp.rubygems.org +short
0 1 80 api.rubygems.org.
Due to a deficiency in DNS response verification, a MiTM positioned
attacker can poison the DNS response t
Bugzilla
CVE-2015-4020 rubygems: incomplete fix for CVE-2015-3900
bugzilla·2015-08-04·CVSS 5.0
CVE-2015-4020 [MEDIUM] CVE-2015-4020 rubygems: incomplete fix for CVE-2015-3900
CVE-2015-4020 rubygems: incomplete fix for CVE-2015-3900
RubyGems before versions 2.0.16, 2.2.4 and 2.4.7 did not verify the API endpoint hostname retrieved through an SRV record (CVE-2015-3900). Fix for this flaw was found incomplete, as it was still possible for an attacker to bypass the hostname restriction.
Incomplete fix for CVE-2015-3900:
https://github.com/rubygems/rubygems/commit/6bbee35
Upstream fix for CVE-2015-4020:
https://github.com/rubygems/rubygems/commit/5c7bfb5
Statement:
This issue did not affect the versions of rubygems as shipped with Red Hat Enterprise Linux 6, Red Hat Enterprise MRG 2.5, Red Hat Satellite 6, Red Hat Openstack 5, Red Hat Openshift Enterprise 2, as the packages did not include the incomplete fix.
This issue did not affect the versions of ruby as s
Bugzilla
CVE-2015-3900 rubygems: DNS hijacking vulnerability in api_endpoint() [fedora-all]
bugzilla·2015-06-26·CVSS 5.0
CVE-2015-3900 [MEDIUM] CVE-2015-3900 rubygems: DNS hijacking vulnerability in api_endpoint() [fedora-all]
CVE-2015-3900 rubygems: DNS hijacking vulnerability in api_endpoint() [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported version
Bugzilla
CVE-2015-3900 rubygems: DNS hijacking vulnerability in api_endpoint()
bugzilla·2015-06-26·CVSS 5.0
CVE-2015-3900 [MEDIUM] CVE-2015-3900 rubygems: DNS hijacking vulnerability in api_endpoint()
CVE-2015-3900 rubygems: DNS hijacking vulnerability in api_endpoint()
RubyGems before versions 2.0.16, 2.2.4 and 2.4.7 did not verify the API endpoint hostname retrieved through an SRV record.
This left clients open to a DNS hijack attack, whereby an attacker could return a SRV of their choosing and get the client to use it.
Upstream patch: https://github.com/rubygems/rubygems/commit/6bbee35
External References:
http://blog.rubygems.org/2015/05/14/CVE-2015-3900.html
Statement:
This issue did not affect the versions of rubygems as shipped with Red Hat Enterprise Linux 6, Red Hat Enterprise MRG 2.5, Red Hat Satellite 6, Red Hat Openstack 5, Red Hat Openshift Enterprise 2 as they did not include support for getting API endpoint using SRV DNS records.
This issue did not affect the versi
http://blog.rubygems.org/2015/05/14/CVE-2015-3900.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-August/163502.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-August/163600.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-August/164236.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1657.htmlhttp://www.openwall.com/lists/oss-security/2015/06/26/2http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.htmlhttp://www.securityfocus.com/bid/75482https://puppet.com/security/cve/CVE-2015-3900https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-007/?fid=6356https://www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900/http://blog.rubygems.org/2015/05/14/CVE-2015-3900.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-August/163502.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-August/163600.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-August/164236.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1657.htmlhttp://www.openwall.com/lists/oss-security/2015/06/26/2http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.htmlhttp://www.securityfocus.com/bid/75482https://puppet.com/security/cve/CVE-2015-3900https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-007/?fid=6356https://www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900/
2015-06-24
Published