RubyGems 2.0.x prior to 2.0.16, 2.2.x prior to 2.2.4, and 2.4.x prior to 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote malicious users to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
ruby-lang ruby 2.1.1 |
||
ruby-lang ruby 2.1.2 |
||
ruby-lang ruby 1.9.3 |
||
ruby-lang ruby 2.0.0 |
||
ruby-lang ruby 2.1 |
||
ruby-lang ruby 1.9.1 |
||
ruby-lang ruby 1.9.2 |
||
ruby-lang ruby 2.1.5 |
||
ruby-lang ruby 2.2.0 |
||
ruby-lang ruby 1.9 |
||
ruby-lang ruby 2.1.3 |
||
ruby-lang ruby 2.1.4 |
||
rubygems rubygems 2.0.1 |
||
rubygems rubygems 2.0.2 |
||
rubygems rubygems 2.0.3 |
||
rubygems rubygems 2.0.10 |
||
rubygems rubygems 2.0.11 |
||
rubygems rubygems 2.2.2 |
||
rubygems rubygems 2.2.3 |
||
rubygems rubygems 2.0.4 |
||
rubygems rubygems 2.0.5 |
||
rubygems rubygems 2.0.12 |
||
rubygems rubygems 2.0.13 |
||
rubygems rubygems 2.4.0 |
||
rubygems rubygems 2.4.1 |
||
rubygems rubygems 2.0.6 |
||
rubygems rubygems 2.0.7 |
||
rubygems rubygems 2.0.14 |
||
rubygems rubygems 2.0.15 |
||
rubygems rubygems 2.4.2 |
||
rubygems rubygems 2.4.3 |
||
rubygems rubygems 2.0.0 |
||
rubygems rubygems 2.0.8 |
||
rubygems rubygems 2.0.9 |
||
rubygems rubygems 2.2.0 |
||
rubygems rubygems 2.2.1 |
||
rubygems rubygems 2.4.4 |
||
rubygems rubygems 2.4.5 |
||
rubygems rubygems 2.4.6 |
||
oracle solaris 11.3 |
||
redhat enterprise linux 7.0 |
||
redhat enterprise linux 6.0 |
Could affect millions
Get patching: new vulns in the RubyGems developer distribution platform could expose millions of users to malicious redirects. The hole (CVE-2015-3900) since patched means clients could be pushed to Gem severs hosting malicious content even if HTTPS is employed. Attackers further benefited since RubyGems Gems Server Discovery did not validate if DNS replies are from the same security domain as gem sources. Gems are used in Ruby libraries for software development and distribution and are pushed o...