CVE-2015-3900

Description

RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."

CVSS Metrics

• v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:N/I:P/A:N

EPSS Trends

Current EPSS score: 2.40%• Percentile: 85%

Techniques & Countermeasures

• CWE-254•7PK - Security Features

  Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.

Affected Systems

• Unknown•Solaris

  11.3

• redhat•enterprise_linux

  6.0 | 7.0

• ruby-lang•ruby

  1.9 | 1.9.1 | 1.9.2 | 1.9.3 | 2.0.0 | 2.1 | 2.1.1 | 2.1.2 | 2.1.3 | 2.1.4 | 2.1.5 | 2.2.0

• rubygems•rubygems

  2.0.0 | 2.0.1 | 2.0.2 | 2.0.3 | 2.0.4 | 2.0.5 | 2.0.6 | 2.0.7 | 2.0.8 | 2.0.9 | 2.0.10 | 2.0.11 | 2.0.12 | 2.0.13 | 2.0.14 | 2.0.15 | 2.2.0 | 2.2.1 | 2.2.2 | 2.2.3 | 2.4.0 | 2.4.1 | 2.4.2 | 2.4.3 | 2.4.4 | 2.4.5 | 2.4.6

References (11)

• http://rhn.redhat.com/errata/RHSA-2015-1657.html
• http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163502.html
• http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163600.html
• http://www.openwall.com/lists/oss-security/2015/06/26/2
• https://www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900/
• http://www.securityfocus.com/bid/75482
• https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-007/?fid=6356
• http://blog.rubygems.org/2015/05/14/CVE-2015-3900.html
• https://puppet.com/security/cve/CVE-2015-3900
• http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164236.html
• http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html