RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a "DNS hijack attack." NOTE: this vulnerability exists because to an incomplete fix for CVE-2015-3900.
References
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2015-08-25T17:00:00
Updated: 2017-12-08T10:57:01
Reserved: 2015-05-18T00:00:00
Link: CVE-2015-4020
JSON object: View
NVD Information
Status : Modified
Published: 2015-08-25T17:59:01.760
Modified: 2017-12-09T02:29:04.637
Link: CVE-2015-4020
JSON object: View
Redhat Information
No data.
CWE