Home > Vulnerability Database > CVE-2015-3900

Mend.io Vulnerability Database

CVE-2015-3900

Good to know:

Date: June 24, 2015

RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."

Language: Ruby

Severity Score

5.3

Related Resources (18)

Url: http://rhn.redhat.com/errata/RHSA-2015-1657.html

Url: http://www.openwall.com/lists/oss-security/2015/06/26/2

Url: http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html

Url: https://nvd.nist.gov/vuln/detail/CVE-2015-3900

Url: https://www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900

Url: http://www.securityfocus.com/bid/75482

Url: http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163600.html

Url: https://www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900/

Url: https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-007/?fid=6356

Url: http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163502.html

Url: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rubygems-update/CVE-2015-3900.yml

Url: http://blog.rubygems.org/2015/05/14/CVE-2015-3900.html

Url: https://access.redhat.com/security/cve/CVE-2015-3900

Url: http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164236.html

Url: https://puppet.com/security/cve/CVE-2015-3900

Url: https://web.archive.org/web/20170331091241/https://puppet.com/security/cve/CVE-2015-3900

Url: https://web.archive.org/web/20200228055155/http://www.securityfocus.com/bid/75482

Url: https://www.mend.io/vulnerability-database/CVE-2015-3900

Severity Score

5.3

Weakness Type (CWE)

Security Features

CWE-254

Reliance on Reverse DNS Resolution for a Security-Critical Action

CWE-350

Top Fix

Upgrade Version

Upgrade to version 2.0.16,2.2.4,2.4.7

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	NONE

CVSS v2

Base Score:	5.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	NONE
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2015-3900

Good to know:

Date: June 24, 2015

Language: Ruby

Severity Score

Related Resources (18)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?