High severityNVD Advisory· Published Jun 24, 2015· Updated Jun 17, 2026
CVE-2015-3900
CVE-2015-3900
Description
RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rubygems-updateRubyGems | >= 2.0.0, < 2.0.16 | 2.0.16 |
rubygems-updateRubyGems | >= 2.2.0, < 2.2.4 | 2.2.4 |
rubygems-updateRubyGems | >= 2.4.0, < 2.4.7 | 2.4.7 |
Affected products
54cpe:2.3:a:rubygems:rubygems:2.0.0:*:*:*:*:*:*:*+ 26 more
- cpe:2.3:a:rubygems:rubygems:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.4.6:*:*:*:*:*:*:*
cpe:2.3:a:ruby-lang:ruby:1.9:*:*:*:*:*:*:*+ 11 more
- cpe:2.3:a:ruby-lang:ruby:1.9:*:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:1.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:1.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:1.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:2.1:-:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:2.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:2.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:2.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
- ghsa-coords12 versionspkg:gem/rubygems-updatepkg:rpm/opensuse/ruby2.2&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ruby2.3&distro=openSUSE%20Tumbleweedpkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP1pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP2pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20Raspberry%20Pi%2012%20SP2pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP1pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP2
>= 2.0.0, < 2.0.16+ 11 more
- (no CPE)range: >= 2.0.0, < 2.0.16
- (no CPE)range: < 2.2.5-1.5
- (no CPE)range: < 2.3.1-1.6
- (no CPE)range: < 2.1.9-15.1
- (no CPE)range: < 2.1.9-15.1
- (no CPE)range: < 2.1.9-15.1
- (no CPE)range: < 2.1.9-15.1
- (no CPE)range: < 2.1.9-15.1
- (no CPE)range: < 2.1.9-15.1
- (no CPE)range: < 2.1.9-15.1
- (no CPE)range: < 2.1.9-15.1
- (no CPE)range: < 2.1.9-15.1
Patches
Vulnerability mechanics
References
17- blog.rubygems.org/2015/05/14/CVE-2015-3900.htmlnvdPatchVendor AdvisoryWEB
- rhn.redhat.com/errata/RHSA-2015-1657.htmlnvdThird Party AdvisoryWEB
- www.openwall.com/lists/oss-security/2015/06/26/2nvdThird Party AdvisoryWEB
- www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.htmlnvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-wp3j-rvfp-624hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-3900ghsaADVISORY
- www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-007/nvdThird Party AdvisoryWEB
- www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900/nvdThird Party Advisory
- lists.fedoraproject.org/pipermail/package-announce/2015-August/163502.htmlnvdWEB
- lists.fedoraproject.org/pipermail/package-announce/2015-August/163600.htmlnvdWEB
- lists.fedoraproject.org/pipermail/package-announce/2015-August/164236.htmlnvdWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/rubygems-update/CVE-2015-3900.ymlghsaWEB
- puppet.com/security/cve/CVE-2015-3900nvdWEB
- web.archive.org/web/20170331091241/https://puppet.com/security/cve/CVE-2015-3900ghsaWEB
- web.archive.org/web/20200228055155/http://www.securityfocus.com/bid/75482ghsaWEB
- www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900ghsaWEB
- www.securityfocus.com/bid/75482nvd
News mentions
0No linked articles in our index yet.