CVE-2015-4020: Input Validation
First published: Tue Aug 25 2015(Updated: )
RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.3.x before 2.4.8 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a "DNS hijack attack." NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3900.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| rubygems/rubygems-update | >=2.3.0<2.4.8 | 2.4.8 |
| rubygems/rubygems-update | >=2.1.0.rc.1<2.2.5 | 2.2.5 |
| rubygems/rubygems-update | <2.0.17 | 2.0.17 |
| Oracle Solaris and Zettabyte File System (ZFS) | =11.3 | |
| RubyGems | =2.0.0 | |
| RubyGems | =2.0.0-preview2 | |
| RubyGems | =2.0.0-preview2.1 | |
| RubyGems | =2.0.0-preview2.2 | |
| RubyGems | =2.0.0-rc1 | |
| RubyGems | =2.0.0-rc2 | |
| RubyGems | =2.0.1 | |
| RubyGems | =2.0.2 | |
| RubyGems | =2.0.3 | |
| RubyGems | =2.0.4 | |
| RubyGems | =2.0.5 | |
| RubyGems | =2.0.6 | |
| RubyGems | =2.0.7 | |
| RubyGems | =2.0.8 | |
| RubyGems | =2.0.9 | |
| RubyGems | =2.0.10 | |
| RubyGems | =2.0.11 | |
| RubyGems | =2.0.12 | |
| RubyGems | =2.0.13 | |
| RubyGems | =2.0.14 | |
| RubyGems | =2.0.15 | |
| RubyGems | =2.0.16 | |
| RubyGems | =2.2.0 | |
| RubyGems | =2.2.1 | |
| RubyGems | =2.2.2 | |
| RubyGems | =2.2.3 | |
| RubyGems | =2.2.4 | |
| RubyGems | =2.4.0 | |
| RubyGems | =2.4.1 | |
| RubyGems | =2.4.2 | |
| RubyGems | =2.4.3 | |
| RubyGems | =2.4.4 | |
| RubyGems | =2.4.5 | |
| RubyGems | =2.4.6 | |
| RubyGems | =2.4.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2015-4020
- https://github.com/rubygems/rubygems/commit/5c7bfb5
- https://puppet.com/security/cve/CVE-2015-3900
- https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478
- https://www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900/
- http://blog.rubygems.org/2015/06/08/2.2.5-released.html
- http://blog.rubygems.org/2015/06/08/2.4.8-released.html
- http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
- http://www.securityfocus.com/bid/75431
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rubygems-update/CVE-2015-4020.yml
- https://web.archive.org/web/20200228084212/http://www.securityfocus.com/bid/75431
- https://web.archive.org/web/20200228085830/https://puppet.com/security/cve/CVE-2015-3900
- https://github.com/advisories/GHSA-qv62-xfj6-32xm (Advisory)
Frequently Asked Questions
What is the severity of CVE-2015-4020?
CVE-2015-4020 is rated as a high severity vulnerability due to its potential to allow remote attackers to redirect requests.
How do I fix CVE-2015-4020?
To fix CVE-2015-4020, update RubyGems to version 2.4.8, 2.2.5, or 2.0.17 or later.
Which versions of RubyGems are affected by CVE-2015-4020?
CVE-2015-4020 affects RubyGems versions 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.3.x before 2.4.8.
What kind of attacks can CVE-2015-4020 facilitate?
CVE-2015-4020 allows remote attackers to execute DNS spoofing attacks by redirecting requests to arbitrary domains.
Is CVE-2015-4020 specific to any operating system?
CVE-2015-4020 is not limited to a specific operating system but impacts all platforms using affected RubyGems versions.
- collector/github-advisory-latest
- alias/GHSA-qv62-xfj6-32xm
- alias/CVE-2015-4020
- collector/github-advisory
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/references
- agent/weakness
- agent/first-publish-date
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/author
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- package-manager/rubygems
- vendor/oracle
- canonical/oracle solaris and zettabyte file system (zfs)
- version/oracle solaris and zettabyte file system (zfs)/11.3
- vendor/rubygems
- canonical/rubygems
- version/rubygems/2.0.0
- version/rubygems/2.0.0-preview2
- version/rubygems/2.0.0-preview2.1
- version/rubygems/2.0.0-preview2.2
- version/rubygems/2.0.0-rc1
- version/rubygems/2.0.0-rc2
- version/rubygems/2.0.1
- version/rubygems/2.0.2
- version/rubygems/2.0.3
- version/rubygems/2.0.4
- version/rubygems/2.0.5
- version/rubygems/2.0.6
- version/rubygems/2.0.7
- version/rubygems/2.0.8
- version/rubygems/2.0.9
- version/rubygems/2.0.10
- version/rubygems/2.0.11
- version/rubygems/2.0.12
- version/rubygems/2.0.13
- version/rubygems/2.0.14
- version/rubygems/2.0.15
- version/rubygems/2.0.16
- version/rubygems/2.2.0
- version/rubygems/2.2.1
- version/rubygems/2.2.2
- version/rubygems/2.2.3
- version/rubygems/2.2.4
- version/rubygems/2.4.0
- version/rubygems/2.4.1
- version/rubygems/2.4.2
- version/rubygems/2.4.3
- version/rubygems/2.4.4
- version/rubygems/2.4.5
- version/rubygems/2.4.6
- version/rubygems/2.4.7