Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2015-4020

Опубликовано: 25 авг. 2015
Источник: debian
EPSS Низкий

Описание

RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a "DNS hijack attack." NOTE: this vulnerability exists because to an incomplete fix for CVE-2015-3900.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
rubygemsnot-affectedpackage
libgems-rubynot-affectedpackage
ruby1.8not-affectedpackage
ruby1.9.1not-affectedpackage
ruby2.1not-affectedpackage
ruby2.2not-affectedpackage
jrubynot-affectedpackage

Примечания

  • Original patch https://github.com/rubygems/rubygems/commit/6bbee35

  • introduced another vulnerability, assigned CVE-2015-4020. This CVE

  • only applies if only 6bbee35 was applied without 5c7bfb5

  • https://github.com/rubygems/rubygems/commit/5c7bfb5

EPSS

Процентиль: 66%
0.00524
Низкий

Связанные уязвимости

ubuntu логотип

CVE-2015-4020

ubuntu
больше 10 лет назад

RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a "DNS hijack attack." NOTE: this vulnerability exists because to an incomplete fix for CVE-2015-3900.

redhat логотип

CVE-2015-4020

redhat
больше 10 лет назад

RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a "DNS hijack attack." NOTE: this vulnerability exists because to an incomplete fix for CVE-2015-3900.

nvd логотип

CVE-2015-4020

nvd
больше 10 лет назад

RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a "DNS hijack attack." NOTE: this vulnerability exists because to an incomplete fix for CVE-2015-3900.

github логотип

GHSA-qv62-xfj6-32xm

github
больше 3 лет назад

RubyGems Improper Input Validation vulnerability

EPSS

Процентиль: 66%
0.00524
Низкий