RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2015-06-24T14:00:00

Updated: 2024-08-06T05:56:16.332Z

Reserved: 2015-05-12T00:00:00

Link: CVE-2015-3900

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2015-06-24T14:59:01.190

Modified: 2024-11-21T02:30:03.087

Link: CVE-2015-3900

cve-icon Redhat

Severity : Important

Publid Date: 2015-05-14T00:00:00Z

Links: CVE-2015-3900 - Bugzilla