High severity8.1NVD Advisory· Published Aug 31, 2017· Updated May 13, 2026
CVE-2017-0902
CVE-2017-0902
Description
RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rubygems-updateRubyGems | < 2.6.13 | 2.6.13 |
Affected products
1Patches
18d91516fb703[RemoteFetcher] Avoid DNS Hijacking Vulnerability
2 files changed · +16 −1
lib/rubygems/remote_fetcher.rb+1 −1 modified@@ -110,7 +110,7 @@ def api_endpoint(uri) else target = res.target.to_s.strip - if /\.#{Regexp.quote(host)}\z/ =~ target + if URI("http://" + target).host.end_with?(".#{host}") return URI.parse "#{uri.scheme}://#{target}#{uri.path}" end
test/rubygems/test_gem_remote_fetcher.rb+15 −0 modified@@ -241,6 +241,21 @@ def test_api_endpoint_ignores_trans_domain_values_that_end_with_original dns.verify end + def test_api_endpoint_ignores_trans_domain_values_that_end_with_original_in_path + uri = URI.parse "http://example.com/foo" + target = MiniTest::Mock.new + target.expect :target, "evil.com/a.example.com" + + dns = MiniTest::Mock.new + dns.expect :getresource, target, [String, Object] + + fetch = Gem::RemoteFetcher.new nil, dns + assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri) + + target.verify + dns.verify + end + def test_api_endpoint_timeout_warning uri = URI.parse "http://gems.example.com/foo"
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
20- blog.rubygems.org/2017/08/27/2.6.13-released.htmlnvdPatchVendor AdvisoryWEB
- github.com/rubygems/rubygems/commit/8d91516fb7037ecfb27622f605dc40245e0f8d32nvdExploitPatchThird Party AdvisoryWEB
- hackerone.com/reports/218088nvdExploitIssue TrackingThird Party AdvisoryWEB
- www.securityfocus.com/bid/100586nvdThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1039249nvdThird Party AdvisoryVDB Entry
- access.redhat.com/errata/RHSA-2017:3485nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2018:0378nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2018:0583nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2018:0585nvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-73w7-6w9g-gc8wghsaADVISORY
- lists.debian.org/debian-lts-announce/2018/07/msg00012.htmlnvdMailing ListThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2017-0902ghsaADVISORY
- security.gentoo.org/glsa/201710-01nvdThird Party AdvisoryWEB
- usn.ubuntu.com/3553-1/nvdThird Party Advisory
- usn.ubuntu.com/3685-1/nvdThird Party Advisory
- www.debian.org/security/2017/dsa-3966nvdThird Party AdvisoryWEB
- usn.ubuntu.com/3553-1ghsaWEB
- usn.ubuntu.com/3685-1ghsaWEB
- web.archive.org/web/20170907040741/http://www.securityfocus.com/bid/100586ghsaWEB
- web.archive.org/web/20170907215801/http://www.securitytracker.com/id/1039249ghsaWEB
News mentions
0No linked articles in our index yet.