CVE-2015-3900
First published: Wed Jun 24 2015(Updated: )
RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| rubygems/rubygems-update | >=2.4.0<2.4.7 | 2.4.7 |
| rubygems/rubygems-update | >=2.2.0<2.2.4 | 2.2.4 |
| rubygems/rubygems-update | >=2.0.0<2.0.16 | 2.0.16 |
| Ruby | =1.9 | |
| Ruby | =1.9.1 | |
| Ruby | =1.9.2 | |
| Ruby | =1.9.3 | |
| Ruby | =2.0.0 | |
| Ruby | =2.1 | |
| Ruby | =2.1.1 | |
| Ruby | =2.1.2 | |
| Ruby | =2.1.3 | |
| Ruby | =2.1.4 | |
| Ruby | =2.1.5 | |
| Ruby | =2.2.0 | |
| RubyGems | =2.0.0 | |
| RubyGems | =2.0.1 | |
| RubyGems | =2.0.2 | |
| RubyGems | =2.0.3 | |
| RubyGems | =2.0.4 | |
| RubyGems | =2.0.5 | |
| RubyGems | =2.0.6 | |
| RubyGems | =2.0.7 | |
| RubyGems | =2.0.8 | |
| RubyGems | =2.0.9 | |
| RubyGems | =2.0.10 | |
| RubyGems | =2.0.11 | |
| RubyGems | =2.0.12 | |
| RubyGems | =2.0.13 | |
| RubyGems | =2.0.14 | |
| RubyGems | =2.0.15 | |
| RubyGems | =2.2.0 | |
| RubyGems | =2.2.1 | |
| RubyGems | =2.2.2 | |
| RubyGems | =2.2.3 | |
| RubyGems | =2.4.0 | |
| RubyGems | =2.4.1 | |
| RubyGems | =2.4.2 | |
| RubyGems | =2.4.3 | |
| RubyGems | =2.4.4 | |
| RubyGems | =2.4.5 | |
| RubyGems | =2.4.6 | |
| Oracle Solaris and Zettabyte File System (ZFS) | =11.3 | |
| Red Hat Enterprise Linux | =6.0 | |
| Red Hat Enterprise Linux | =7.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2015-3900
- https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-007/?fid=6356
- https://www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900/
- http://blog.rubygems.org/2015/05/14/CVE-2015-3900.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163502.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163600.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164236.html
- http://rhn.redhat.com/errata/RHSA-2015-1657.html
- http://www.openwall.com/lists/oss-security/2015/06/26/2
- http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
- https://web.archive.org/web/20170331091241/https://puppet.com/security/cve/CVE-2015-3900
- https://web.archive.org/web/20200228055155/http://www.securityfocus.com/bid/75482
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rubygems-update/CVE-2015-3900.yml
- https://puppet.com/security/cve/CVE-2015-3900
- https://github.com/advisories/GHSA-wp3j-rvfp-624h (Advisory)
- http://www.securityfocus.com/bid/75482
Frequently Asked Questions
What is the severity of CVE-2015-3900?
CVE-2015-3900 has a moderate severity rating due to the potential for DNS hijack attacks.
How do I fix CVE-2015-3900?
To fix CVE-2015-3900, upgrade RubyGems to version 2.0.16, 2.2.4, or 2.4.7 or later.
What versions are affected by CVE-2015-3900?
CVE-2015-3900 affects RubyGems versions 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7.
What does CVE-2015-3900 exploit?
CVE-2015-3900 exploits vulnerabilities in RubyGems' hostname validation when fetching gems or making API requests.
Who can be impacted by CVE-2015-3900?
Users of RubyGems versions prior to the patched versions are at risk of being impacted by CVE-2015-3900.
- collector/github-advisory-latest
- alias/GHSA-wp3j-rvfp-624h
- alias/CVE-2015-3900
- collector/github-advisory
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/remedy
- agent/weakness
- agent/references
- agent/severity
- agent/event
- agent/description
- agent/first-publish-date
- agent/trending
- agent/source
- agent/author
- agent/softwarecombine
- agent/tags
- collector/nvd-cve
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/rubygems
- vendor/ruby-lang
- canonical/ruby
- version/ruby/1.9
- version/ruby/1.9.1
- version/ruby/1.9.2
- version/ruby/1.9.3
- version/ruby/2.0.0
- version/ruby/2.1
- version/ruby/2.1.1
- version/ruby/2.1.2
- version/ruby/2.1.3
- version/ruby/2.1.4
- version/ruby/2.1.5
- version/ruby/2.2.0
- vendor/rubygems
- canonical/rubygems
- version/rubygems/2.0.0
- version/rubygems/2.0.1
- version/rubygems/2.0.2
- version/rubygems/2.0.3
- version/rubygems/2.0.4
- version/rubygems/2.0.5
- version/rubygems/2.0.6
- version/rubygems/2.0.7
- version/rubygems/2.0.8
- version/rubygems/2.0.9
- version/rubygems/2.0.10
- version/rubygems/2.0.11
- version/rubygems/2.0.12
- version/rubygems/2.0.13
- version/rubygems/2.0.14
- version/rubygems/2.0.15
- version/rubygems/2.2.0
- version/rubygems/2.2.1
- version/rubygems/2.2.2
- version/rubygems/2.2.3
- version/rubygems/2.4.0
- version/rubygems/2.4.1
- version/rubygems/2.4.2
- version/rubygems/2.4.3
- version/rubygems/2.4.4
- version/rubygems/2.4.5
- version/rubygems/2.4.6
- vendor/oracle
- canonical/oracle solaris and zettabyte file system (zfs)
- version/oracle solaris and zettabyte file system (zfs)/11.3
- vendor/redhat
- canonical/red hat enterprise linux
- version/red hat enterprise linux/6.0
- version/red hat enterprise linux/7.0