---
library: rubygems
cve: 2015-3900
osvdb: 122162
url: https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-007/?fid=6356
title: |
  RubyGems remote_fetcher.rb api_endpoint() Function Missing SRV Record
  Hostname Validation Request Hijacking
date: 2015-05-14
description: |
  RubyGems contains a flaw in the api_endpoint() function in remote_fetcher.rb
  that is triggered when handling hostnames in SRV records. With a specially
  crafted response, a context-dependent attacker may conduct DNS hijacking
  attacks.
cvss_v2: 5.0
patched_versions:
  - ~> 2.0.16
  - ~> 2.2.4
  - ">= 2.4.7"