CVE-2015-3900: 7PK - Security Features
(updated )
RubyGems does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a “DNS hijack attack.”
References
- blog.rubygems.org/2015/05/14/CVE-2015-3900.html
- lists.fedoraproject.org/pipermail/package-announce/2015-August/163502.html
- lists.fedoraproject.org/pipermail/package-announce/2015-August/163600.html
- lists.fedoraproject.org/pipermail/package-announce/2015-August/164236.html
- rhn.redhat.com/errata/RHSA-2015-1657.html
- www.openwall.com/lists/oss-security/2015/06/26/2
- www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
- www.securityfocus.com/bid/75482
- nvd.nist.gov/vuln/detail/CVE-2015-3900
- puppet.com/security/cve/CVE-2015-3900
- www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-007/?fid=6356
- www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900/
Detect and mitigate CVE-2015-3900 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →