Описание
RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.
A vulnerability was found where rubygems did not sanitize DNS responses when requesting the hostname of the rubygems server for a domain, via a _rubygems._tcp DNS SRV query. An attacker with the ability to manipulate DNS responses could direct the gem command towards a different domain.
Отчет
This issue affects the versions of ruby as shipped with Red Hat Enterprise Linux 6, and 7 and the versions of rh-ruby22-ruby and rh-ruby23-ruby as shipped with Red Hat Software Collections. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | rubygems | Will not fix | ||
| Red Hat Enterprise MRG 2 | rubygems | Under investigation | ||
| Red Hat Satellite 6 | rubygems | Under investigation | ||
| Red Hat Subscription Asset Manager | ruby193-rubygems | Under investigation | ||
| Red Hat Enterprise Linux 7 | ruby | Fixed | RHSA-2018:0378 | 28.02.2018 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 | rh-ruby24-ruby | Fixed | RHSA-2017:3485 | 19.12.2017 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 | rh-ruby22-ruby | Fixed | RHSA-2018:0583 | 26.03.2018 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 | rh-ruby23-ruby | Fixed | RHSA-2018:0585 | 26.03.2018 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS | rh-ruby24-ruby | Fixed | RHSA-2017:3485 | 19.12.2017 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS | rh-ruby22-ruby | Fixed | RHSA-2018:0583 | 26.03.2018 |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.
RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.
RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking v ...
RubyGems has Origin Validation Error vulnerability
7.5 High
CVSS3