--- library: rubygems cve: 2015-4020 url: https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478 title: | RubyGems remote_fetcher.rb api_endpoint() Function Missing SRV Record Hostname Validation Request Hijacking date: 2015-06-08 description: | RubyGems contains a flaw in the api_endpoint() function in remote_fetcher.rb that is triggered when handling hostnames in SRV records. With a specially crafted response, a context-dependent attacker may conduct DNS hijacking attacks. This vulnerability is due to an incomplete fix for CVE-2015-3900, which allowed redirection to an arbitrary gem server in any security domain. cvss_v2: 5.0 patched_versions: - ~> 2.0.17 - ~> 2.2.5 - ">= 2.4.8"