[Forgot Password]
Login  Register Subscribe

30430

 
 

423868

 
 

247862

 
 

909

 
 

194603

 
 

282

 
Paid content will be excluded from the download.


Download | Alert*
CVE
view JSON

CVE-2015-3900Date: (C)2015-07-02   (M)2024-02-22


RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V2 Severity:
CVSS Score : 5.0
Exploit Score: 10.0
Impact Score: 2.9
 
CVSS V2 Metrics:
Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality: NONE
Integrity: PARTIAL
Availability: NONE
  
Reference:
BID-75482
FEDORA-2015-12501
FEDORA-2015-12574
FEDORA-2015-13157
RHSA-2015:1657
http://www.openwall.com/lists/oss-security/2015/06/26/2
http://blog.rubygems.org/2015/05/14/CVE-2015-3900.html
http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
https://puppet.com/security/cve/CVE-2015-3900
https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-007/?fid=6356
https://www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900/

CPE    24
cpe:/a:rubygems:rubygems:2.2.0
cpe:/a:rubygems:rubygems:2.2.1
cpe:/a:rubygems:rubygems:2.4.2
cpe:/a:rubygems:rubygems:2.4.3
...
CWE    1
CWE-254
OVAL    7
oval:org.secpod.oval:def:1200060
oval:org.secpod.oval:def:1200026
oval:org.secpod.oval:def:1200054
oval:org.secpod.oval:def:109430
...

© SecPod Technologies