CVE-2015-3900
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2015-3900
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2015-3900.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2015-3900
- Aliases
- Related
- Published
- 2015-06-24T14:59:01Z
- Modified
- 2024-09-18T01:00:21Z
- Summary
- [none]
- Details
-
RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."
- References
-
- http://blog.rubygems.org/2015/05/14/CVE-2015-3900.html
- http://rhn.redhat.com/errata/RHSA-2015-1657.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163502.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163600.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164236.html
- http://www.openwall.com/lists/oss-security/2015/06/26/2
- http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
- http://www.securityfocus.com/bid/75482
- https://puppet.com/security/cve/CVE-2015-3900
- https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-007/?fid=6356
- https://www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900/
- https://security-tracker.debian.org/tracker/CVE-2015-3900
Affected packages
Debian:12 / jruby
Package
- Name
- jruby
- Purl
- pkg:deb/debian/jruby?arch=source
Debian:13 / jruby
Package
- Name
- jruby
- Purl
- pkg:deb/debian/jruby?arch=source