VYPR
Get started
← All advisories
High severityNVD Advisory· Published Jun 24, 2015· Updated May 6, 2026

CVE-2015-3900

CVE-2015-3900

Description

RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
rubygems-updateRubyGems
>= 2.0.0, < 2.0.162.0.16
rubygems-updateRubyGems
>= 2.2.0, < 2.2.42.2.4
rubygems-updateRubyGems
>= 2.4.0, < 2.4.72.4.7

Affected products

42
  • RubyGems/Rubygems27 versions
    cpe:2.3:a:rubygems:rubygems:2.0.0:*:*:*:*:*:*:*+ 26 more
    • cpe:2.3:a:rubygems:rubygems:2.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.0.10:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.0.11:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.0.12:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.0.13:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.0.14:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.0.15:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.2.3:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.4.1:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.4.2:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.4.3:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.4.4:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.4.5:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.4.6:*:*:*:*:*:*:*
  • Ruby Lang/Ruby12 versions
    cpe:2.3:a:ruby-lang:ruby:1.9:*:*:*:*:*:*:*+ 11 more
    • cpe:2.3:a:ruby-lang:ruby:1.9:*:*:*:*:*:*:*
    • cpe:2.3:a:ruby-lang:ruby:1.9.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ruby-lang:ruby:1.9.2:*:*:*:*:*:*:*
    • cpe:2.3:a:ruby-lang:ruby:1.9.3:*:*:*:*:*:*:*
    • cpe:2.3:a:ruby-lang:ruby:2.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ruby-lang:ruby:2.1:-:*:*:*:*:*:*
    • cpe:2.3:a:ruby-lang:ruby:2.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ruby-lang:ruby:2.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:ruby-lang:ruby:2.1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:ruby-lang:ruby:2.1.4:*:*:*:*:*:*:*
    • cpe:2.3:a:ruby-lang:ruby:2.1.5:*:*:*:*:*:*:*
    • cpe:2.3:a:ruby-lang:ruby:2.2.0:*:*:*:*:*:*:*
  • Oracle Corporation/Solaris
    cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*
  • Red Hat/Enterprise Linux2 versions
    cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
    • cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

17

News mentions

0

No linked articles in our index yet.