Description

RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."

Remediation

References

CVE-2015-3900

Related Vulnerabilities

WordPress Plugin Recipe Card Blocks for Gutenberg & Elementor Cross-Site Scripting (2.8.0)

WebLogic CVE-2020-2963 Vulnerability (CVE-2020-2963)

WordPress Plugin Tutor LMS-eLearning and online course solution Security Bypass (2.6.1)

phpMyAdmin Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2008-3197)

CubeCart Improper Input Validation Vulnerability (CVE-2013-1465)

Severity

Medium

Classification

CVE-2015-3900

Tags

Missing Update Known Vulnerabilities