Description

RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."

Remediation

References

CVE-2015-3900

Related Vulnerabilities

WordPress Plugin MoodThingy Mood Rating Widget SQL Injection (0.9.1)

WordPress Plugin Pinpoint Booking System-#1 WordPress Booking SQL Injection (2.9.9.2.8)

WordPress Plugin WordPress Landing Pages Cross-Site Scripting (2.2.4)

Oracle Database Server Other Vulnerability (CVE-2005-1197)

WordPress Plugin Blog2Social:Social Media Auto Post & Scheduler Multiple Vulnerabilities (6.9.9)

Severity

Medium

Classification

CVE-2015-3900

Tags

Missing Update Known Vulnerabilities