CVE-2015-4020: Improper Input Validation
(updated )
RubyGems does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a “DNS hijack attack.” NOTE: this vulnerability exists because to an incomplete fix for CVE-2015-3900.
References
- blog.rubygems.org/2015/06/08/2.2.5-released.html
- blog.rubygems.org/2015/06/08/2.4.8-released.html
- www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
- www.securityfocus.com/bid/75431
- github.com/rubygems/rubygems/commit/5c7bfb5
- nvd.nist.gov/vuln/detail/CVE-2015-4020
- puppet.com/security/cve/CVE-2015-3900
- www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478
- www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900/
Detect and mitigate CVE-2015-4020 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →