CVE-2015-3900

Sažetak

RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."

Reference

http://blog.rubygems.org/2015/05/14/CVE-2015-3900.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163502.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163600.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164236.html
http://rhn.redhat.com/errata/RHSA-2015-1657.html
http://www.openwall.com/lists/oss-security/2015/06/26/2
http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
http://www.securityfocus.com/bid/75482
https://puppet.com/security/cve/CVE-2015-3900
https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-007/?fid=6356
https://www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900/

CVSS

Base:	5.0
Impact:	2.9
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	PARTIAL	NONE

CVSS vektor

AV:N/AC:L/Au:N/C:N/I:P/A:N

Zadnje važnije ažuriranje

22-04-2019 - 17:48

Objavljeno

24-06-2015 - 14:59