CVE-2015-3900

RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:N/I:P/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 94%
Affected Products (NVD)
VendorProductVersion
ruby-langruby
1.9
ruby-langruby
1.9.1
ruby-langruby
1.9.2
ruby-langruby
1.9.3
ruby-langruby
2.0.0
ruby-langruby
2.1
ruby-langruby
2.1.1
ruby-langruby
2.1.2
ruby-langruby
2.1.3
ruby-langruby
2.1.4
ruby-langruby
2.1.5
ruby-langruby
2.2.0
rubygemsrubygems
2.0.0
rubygemsrubygems
2.0.1
rubygemsrubygems
2.0.2
rubygemsrubygems
2.0.3
rubygemsrubygems
2.0.4
rubygemsrubygems
2.0.5
rubygemsrubygems
2.0.6
rubygemsrubygems
2.0.7
rubygemsrubygems
2.0.8
rubygemsrubygems
2.0.9
rubygemsrubygems
2.0.10
rubygemsrubygems
2.0.11
rubygemsrubygems
2.0.12
rubygemsrubygems
2.0.13
rubygemsrubygems
2.0.14
rubygemsrubygems
2.0.15
rubygemsrubygems
2.2.0
rubygemsrubygems
2.2.1
rubygemsrubygems
2.2.2
rubygemsrubygems
2.2.3
rubygemsrubygems
2.4.0
rubygemsrubygems
2.4.1
rubygemsrubygems
2.4.2
rubygemsrubygems
2.4.3
rubygemsrubygems
2.4.4
rubygemsrubygems
2.4.5
rubygemsrubygems
2.4.6
oraclesolaris
11.3
redhatenterprise_linux
6.0
redhatenterprise_linux
7.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
jruby
bookworm
9.3.9.0+ds-8
fixed
jessie
not-affected
sid
9.4.8.0+ds-1
fixed
squeeze
not-affected
trixie
9.4.8.0+ds-1
fixed
wheezy
not-affected
rubygems
bookworm
3.3.15-2
fixed
bullseye
3.2.5-2
fixed
jessie
not-affected
sid
3.4.20-1
fixed
squeeze
not-affected
trixie
3.4.20-1
fixed
wheezy
not-affected
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
jruby
precise
not-affected
trusty
not-affected
utopic
not-affected
vivid
not-affected
wily
not-affected
libgems-ruby
precise
dne
trusty
dne
utopic
dne
vivid
dne
wily
dne
ruby1.8
precise
not-affected
trusty
dne
utopic
dne
vivid
dne
wily
dne
ruby1.9.1
precise
not-affected
trusty
dne
utopic
not-affected
vivid
not-affected
wily
dne
ruby2.1
precise
dne
trusty
dne
utopic
ignored
vivid
ignored
wily
not-affected
ruby2.2
precise
dne
trusty
dne
utopic
dne
vivid
dne
wily
not-affected
ruby2.3
precise
dne
trusty
dne
utopic
dne
vivid
dne
wily
dne
rubygems
precise
not-affected
trusty
dne
utopic
dne
vivid
dne
wily
dne
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
libruby2_1-2_1
suse enterprise sap 12 SP1
2.1.9-15.1
fixed
suse enterprise sap 12 SP5
2.1.9-18.1
fixed
suse enterprise server 12 SP1
2.1.9-15.1
fixed
suse enterprise server 12 SP3
2.1.9-18.1
fixed
suse enterprise server 12 SP4
2.1.9-18.1
fixed
suse enterprise server 12 SP5
2.1.9-18.1
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
ruby20
Amazon Linux 1
0:2.0.0.645-1.27.amzn1
fixed
ruby20-debuginfo
Amazon Linux 1
0:2.0.0.645-1.27.amzn1
fixed
ruby20-devel
Amazon Linux 1
0:2.0.0.645-1.27.amzn1
fixed
ruby20-doc
Amazon Linux 1
0:2.0.0.645-1.27.amzn1
fixed
ruby20-irb
Amazon Linux 1
0:2.0.0.645-1.27.amzn1
fixed
ruby20-libs
Amazon Linux 1
0:2.0.0.645-1.27.amzn1
fixed
ruby21
Amazon Linux 1
0:2.1.6-1.17.amzn1
fixed
ruby21-debuginfo
Amazon Linux 1
0:2.1.6-1.17.amzn1
fixed
ruby21-devel
Amazon Linux 1
0:2.1.6-1.17.amzn1
fixed
ruby21-doc
Amazon Linux 1
0:2.1.6-1.17.amzn1
fixed
ruby21-irb
Amazon Linux 1
0:2.1.6-1.17.amzn1
fixed
ruby21-libs
Amazon Linux 1
0:2.1.6-1.17.amzn1
fixed
ruby22
Amazon Linux 1
0:2.2.2-1.6.amzn1
fixed
ruby22-debuginfo
Amazon Linux 1
0:2.2.2-1.6.amzn1
fixed
ruby22-devel
Amazon Linux 1
0:2.2.2-1.6.amzn1
fixed
ruby22-doc
Amazon Linux 1
0:2.2.2-1.6.amzn1
fixed
ruby22-irb
Amazon Linux 1
0:2.2.2-1.6.amzn1
fixed
ruby22-libs
Amazon Linux 1
0:2.2.2-1.6.amzn1
fixed
rubygem20-bigdecimal
Amazon Linux 1
0:1.2.0-1.27.amzn1
fixed
rubygem20-io-console
Amazon Linux 1
0:0.4.2-1.27.amzn1
fixed
rubygem20-psych
Amazon Linux 1
0:2.0.0-1.27.amzn1
fixed
rubygem21-bigdecimal
Amazon Linux 1
0:1.2.4-1.17.amzn1
fixed
rubygem21-io-console
Amazon Linux 1
0:0.4.3-1.17.amzn1
fixed
rubygem21-psych
Amazon Linux 1
0:2.0.5-1.17.amzn1
fixed
rubygem22-bigdecimal
Amazon Linux 1
0:1.2.6-1.6.amzn1
fixed
rubygem22-io-console
Amazon Linux 1
0:0.4.3-1.6.amzn1
fixed
rubygem22-psych
Amazon Linux 1
0:2.0.8-1.6.amzn1
fixed
rubygems20
Amazon Linux 1
0:2.0.14-1.27.amzn1
fixed
rubygems20-devel
Amazon Linux 1
0:2.0.14-1.27.amzn1
fixed
rubygems21
Amazon Linux 1
0:2.2.3-1.17.amzn1
fixed
rubygems21-devel
Amazon Linux 1
0:2.2.3-1.17.amzn1
fixed
rubygems22
Amazon Linux 1
0:2.4.5-1.6.amzn1
fixed
rubygems22-devel
Amazon Linux 1
0:2.4.5-1.6.amzn1
fixed
Common Weakness Enumeration
References