GHSA-wp3j-rvfp-624h

Source

https://github.com/advisories/GHSA-wp3j-rvfp-624h

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-wp3j-rvfp-624h/GHSA-wp3j-rvfp-624h.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-wp3j-rvfp-624h

Aliases

CVE-2015-3900

Published

2022-05-14T01:08:49Z

Modified

2024-02-16T08:24:24.460081Z

Summary

RubyGems vulnerable to DNS hijack attack

Details

RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."

References

Affected packages

RubyGems / rubygems-update

Package

Name: rubygems-update
Purl: pkg:gem/rubygems-update

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.0.16

Affected versions

2.*

2.0.0

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.10

2.0.11

2.0.12

2.0.13

2.0.14

2.0.15

RubyGems / rubygems-update

Package

Name: rubygems-update
Purl: pkg:gem/rubygems-update

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.2.0

Fixed

2.2.4

Affected versions

2.*

2.2.0

2.2.1

2.2.2

2.2.3

RubyGems / rubygems-update

Package

Name: rubygems-update
Purl: pkg:gem/rubygems-update

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.4.0

Fixed

2.4.7

Affected versions

2.*

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.4.5

2.4.6