CVE-2015-3900 — Improper Input Validation in Rubygems

CWE-254 CWE-20 — Improper Input Validation CWE-345 — Insufficient Verification of Data Authenticity CWE-350 — Reliance on Reverse DNS Resolution for a Security-Critical Action12 documents7 sources

Severity

5.0MEDIUMNVD

EPSS

2.4%

top 14.91%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jruby Oracle Solaris Redhat Enterprise Linux +2 more

Timeline

PublishedJun 24

Latest updateMay 17

Description

RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages4 packages

▶NVDrubygems/rubygems27 versions+26

▶Debianjruby/jruby< 1.7.20.1-2+2

▶NVDoracle/solaris11.3

▶NVDruby-lang/ruby12 versions+11

Also affects: Enterprise Linux 6.0, 7.0

Patches

Patch: blog.rubygems.org ↗Patch: blog.rubygems.org ↗

🔴Vulnerability Details

GHSA

RubyGems Improper Input Validation vulnerability↗2022-05-17

▶

GHSA

RubyGems vulnerable to DNS hijack attack↗2022-05-14

▶

OSV

RubyGems vulnerable to DNS hijack attack↗2022-05-14

▶

OSV

CVE-2015-3900: RubyGems 2↗2015-06-24

▶

CVEList

CVE-2015-3900: RubyGems 2↗2015-06-24

▶

📋Vendor Advisories

Red Hat

rubygems: incomplete fix for CVE-2015-3900↗2015-05-18

▶

Red Hat

rubygems: DNS hijacking vulnerability in api_endpoint()↗2015-05-14

▶

Debian

CVE-2015-3900: jruby - RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does no...↗2015

▶

💬Community

Bugzilla

CVE-2015-4020 rubygems: incomplete fix for CVE-2015-3900↗2015-08-04

▶

Bugzilla

CVE-2015-3900 rubygems: DNS hijacking vulnerability in api_endpoint() [fedora-all]↗2015-06-26

▶

Bugzilla

CVE-2015-3900 rubygems: DNS hijacking vulnerability in api_endpoint()↗2015-06-26

▶