CVE-2015-3900
Description
RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a DNS hijack attack.
Risk Information
Base Score
9.8
MODERATE
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
2.401
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2015-3900 are fixed in Ruby-rubygems-update 2.0.16 | Windows |
| Vulnerabilities CVE-2015-3900 are fixed in Ruby-rubygems-update 2.2.4 | Windows |
| Vulnerabilities CVE-2015-3900 are fixed in Ruby-rubygems-update 2.4.7 | Windows |
| SUSE-SU-2017:1067-1(SUSE Linux Enterprise Desktop 12-SP1 ) libruby2_1-2_1-2.1.9-15.1.x86_64.rpm | Linux |
| SUSE-SU-2017:1067-1(SUSE Linux Enterprise Desktop 12-SP1 ) libruby2_1-2_1-debuginfo-2.1.9-15.1.x86_64.rpm | Linux |
| SUSE-SU-2017:1067-1(SUSE Linux Enterprise Desktop 12-SP1 ) ruby2.1-2.1.9-15.1.x86_64.rpm | Linux |
| SUSE-SU-2017:1067-1(SUSE Linux Enterprise Desktop 12-SP1 ) ruby2.1-debuginfo-2.1.9-15.1.x86_64.rpm | Linux |
| SUSE-SU-2017:1067-1(SUSE Linux Enterprise Desktop 12-SP1 ) ruby2.1-debugsource-2.1.9-15.1.x86_64.rpm | Linux |
| SUSE-SU-2017:1067-1(SUSE Linux Enterprise Desktop 12-SP1 ) ruby2.1-stdlib-2.1.9-15.1.x86_64.rpm | Linux |
| SUSE-SU-2017:1067-1(SUSE Linux Enterprise Desktop 12-SP1 ) ruby2.1-stdlib-debuginfo-2.1.9-15.1.x86_64.rpm | Linux |
| Vulnerabilities CVE-2015-3900 are fixed in Ruby-rubygems-update for Linux 2.0.16 | Linux |
| Vulnerabilities CVE-2015-3900 are fixed in Ruby-rubygems-update for Linux 2.2.4 | Linux |
| Vulnerabilities CVE-2015-3900 are fixed in Ruby-rubygems-update for Linux 2.4.7 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234