What is the severity of CVE-2015-4020?

CVE-2015-4020 is rated as a high severity vulnerability due to its potential to allow remote attackers to redirect requests.

How do I fix CVE-2015-4020?

To fix CVE-2015-4020, update RubyGems to version 2.4.8, 2.2.5, or 2.0.17 or later.

Which versions of RubyGems are affected by CVE-2015-4020?

CVE-2015-4020 affects RubyGems versions 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.3.x before 2.4.8.

What kind of attacks can CVE-2015-4020 facilitate?

CVE-2015-4020 allows remote attackers to execute DNS spoofing attacks by redirecting requests to arbitrary domains.

Is CVE-2015-4020 specific to any operating system?

CVE-2015-4020 is not limited to a specific operating system but impacts all platforms using affected RubyGems versions.

Vulnerability/
CVE-2015-4020

medium

4.3

CWE

25/8/2015

17/5/2022

6/8/2024

CVE-2015-4020: Input Validation

First published: Tue Aug 25 2015(Updated: )

RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.3.x before 2.4.8 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a "DNS hijack attack." NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3900.

Credit: cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
rubygems/rubygems-update	>=2.3.0<2.4.8	2.4.8
rubygems/rubygems-update	>=2.1.0.rc.1<2.2.5	2.2.5
rubygems/rubygems-update	<2.0.17	2.0.17
Oracle Solaris SPARC	=11.3
RubyGems	=2.0.0
RubyGems	=2.0.0-preview2
RubyGems	=2.0.0-preview2.1
RubyGems	=2.0.0-preview2.2
RubyGems	=2.0.0-rc1
RubyGems	=2.0.0-rc2
RubyGems	=2.0.1
RubyGems	=2.0.2
RubyGems	=2.0.3
RubyGems	=2.0.4
RubyGems	=2.0.5
RubyGems	=2.0.6
RubyGems	=2.0.7
RubyGems	=2.0.8
RubyGems	=2.0.9
RubyGems	=2.0.10
RubyGems	=2.0.11
RubyGems	=2.0.12
RubyGems	=2.0.13
RubyGems	=2.0.14
RubyGems	=2.0.15
RubyGems	=2.0.16
RubyGems	=2.2.0
RubyGems	=2.2.1
RubyGems	=2.2.2
RubyGems	=2.2.3
RubyGems	=2.2.4
RubyGems	=2.4.0
RubyGems	=2.4.1
RubyGems	=2.4.2
RubyGems	=2.4.3
RubyGems	=2.4.4
RubyGems	=2.4.5
RubyGems	=2.4.6
RubyGems	=2.4.7

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2015-4020?
CVE-2015-4020 is rated as a high severity vulnerability due to its potential to allow remote attackers to redirect requests.
How do I fix CVE-2015-4020?
To fix CVE-2015-4020, update RubyGems to version 2.4.8, 2.2.5, or 2.0.17 or later.
Which versions of RubyGems are affected by CVE-2015-4020?
CVE-2015-4020 affects RubyGems versions 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.3.x before 2.4.8.
What kind of attacks can CVE-2015-4020 facilitate?
CVE-2015-4020 allows remote attackers to execute DNS spoofing attacks by redirecting requests to arbitrary domains.
Is CVE-2015-4020 specific to any operating system?
CVE-2015-4020 is not limited to a specific operating system but impacts all platforms using affected RubyGems versions.

collector/github-advisory-latest
alias/GHSA-qv62-xfj6-32xm
alias/CVE-2015-4020
collector/github-advisory
agent/author
agent/type
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/severity
agent/references
agent/weakness
agent/first-publish-date
agent/description
agent/event
agent/trending
agent/source
agent/tags
agent/softwarecombine
collector/nvd-cve
agent/software-canonical-lookup-request
collector/nvd-index
package-manager/rubygems
vendor/oracle
canonical/oracle solaris sparc
version/oracle solaris sparc/11.3
vendor/rubygems
canonical/rubygems
version/rubygems/2.0.0
version/rubygems/2.0.0-preview2
version/rubygems/2.0.0-preview2.1
version/rubygems/2.0.0-preview2.2
version/rubygems/2.0.0-rc1
version/rubygems/2.0.0-rc2
version/rubygems/2.0.1
version/rubygems/2.0.2
version/rubygems/2.0.3
version/rubygems/2.0.4
version/rubygems/2.0.5
version/rubygems/2.0.6
version/rubygems/2.0.7
version/rubygems/2.0.8
version/rubygems/2.0.9
version/rubygems/2.0.10
version/rubygems/2.0.11
version/rubygems/2.0.12
version/rubygems/2.0.13
version/rubygems/2.0.14
version/rubygems/2.0.15
version/rubygems/2.0.16
version/rubygems/2.2.0
version/rubygems/2.2.1
version/rubygems/2.2.2
version/rubygems/2.2.3
version/rubygems/2.2.4
version/rubygems/2.4.0
version/rubygems/2.4.1
version/rubygems/2.4.2
version/rubygems/2.4.3
version/rubygems/2.4.4
version/rubygems/2.4.5
version/rubygems/2.4.6
version/rubygems/2.4.7

Frequently Asked Questions

What is the severity of CVE-2015-4020?
CVE-2015-4020 is rated as a high severity vulnerability due to its potential to allow remote attackers to redirect requests.
How do I fix CVE-2015-4020?
To fix CVE-2015-4020, update RubyGems to version 2.4.8, 2.2.5, or 2.0.17 or later.
Which versions of RubyGems are affected by CVE-2015-4020?
CVE-2015-4020 affects RubyGems versions 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.3.x before 2.4.8.
What kind of attacks can CVE-2015-4020 facilitate?
CVE-2015-4020 allows remote attackers to execute DNS spoofing attacks by redirecting requests to arbitrary domains.
Is CVE-2015-4020 specific to any operating system?
CVE-2015-4020 is not limited to a specific operating system but impacts all platforms using affected RubyGems versions.

CVE-2015-4020: Input Validation

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2015-4020?

How do I fix CVE-2015-4020?

Which versions of RubyGems are affected by CVE-2015-4020?

What kind of attacks can CVE-2015-4020 facilitate?

Is CVE-2015-4020 specific to any operating system?

Company

Resources

Contact

Frequently Asked Questions

What is the severity of CVE-2015-4020?

How do I fix CVE-2015-4020?

Which versions of RubyGems are affected by CVE-2015-4020?

What kind of attacks can CVE-2015-4020 facilitate?

Is CVE-2015-4020 specific to any operating system?