VYPR
Moderate severityNVD Advisory· Published Aug 25, 2015· Updated Jun 17, 2026

CVE-2015-4020

CVE-2015-4020

Description

RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a "DNS hijack attack." NOTE: this vulnerability exists because to an incomplete fix for CVE-2015-3900.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
rubygems-updateRubyGems
< 2.0.172.0.17
rubygems-updateRubyGems
>= 2.1.0.rc.1, < 2.2.52.2.5
rubygems-updateRubyGems
>= 2.3.0, < 2.4.82.4.8

Affected products

37
  • RubyGems/Rubygems35 versions
    cpe:2.3:a:rubygems:rubygems:2.0.0:*:*:*:*:*:*:*+ 34 more
    • cpe:2.3:a:rubygems:rubygems:2.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.0.0:preview2:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.0.0:preview2.1:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.0.0:preview2.2:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.0.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.0.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.0.10:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.0.11:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.0.12:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.0.13:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.0.14:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.0.15:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.0.16:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.2.3:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.2.4:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.4.1:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.4.2:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.4.3:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.4.4:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.4.5:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.4.6:*:*:*:*:*:*:*
    • cpe:2.3:a:rubygems:rubygems:2.4.7:*:*:*:*:*:*:*
  • cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*
  • ghsa-coords
    Range: < 2.0.17

Patches

Vulnerability mechanics

References

14

News mentions

0

No linked articles in our index yet.