Sha256: d9d1b2afb2ca3d950bc9b906b7aa81624eac7e683f89f0145abc2a7364c1a441

Contents?: true

Size: 746 Bytes

Versions: 5

Compression:

Stored size: 746 Bytes

Contents

---
library: rubygems
cve: 2015-4020
url: https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478
title: |
  RubyGems remote_fetcher.rb api_endpoint() Function Missing SRV Record
  Hostname Validation Request Hijacking
date: 2015-06-08
description: |
  RubyGems contains a flaw in the api_endpoint() function in remote_fetcher.rb
  that is triggered when handling hostnames in SRV records. With a specially
  crafted response, a context-dependent attacker may conduct DNS hijacking
  attacks. This vulnerability is due to an incomplete fix for CVE-2015-3900,
  which allowed redirection to an arbitrary gem server in any security domain. 
cvss_v2: 5.0
patched_versions:
  - ~> 2.0.17
  - ~> 2.2.5
  - ">= 2.4.8"

Version data entries

5 entries across 5 versions & 2 rubygems

Version Path
bundler-budit-0.6.2 data/ruby-advisory-db/libraries/rubygems/CVE-2015-4020.yml
bundler-budit-0.6.1 data/ruby-advisory-db/libraries/rubygems/CVE-2015-4020.yml
bundler-audit-0.6.1 data/ruby-advisory-db/libraries/rubygems/CVE-2015-4020.yml
bundler-audit-0.6.0 data/ruby-advisory-db/libraries/rubygems/CVE-2015-4020.yml
bundler-audit-0.5.0 data/ruby-advisory-db/libraries/rubygems/CVE-2015-4020.yml