Vulnerability   
Search   
    Search 219043 CVE descriptions
and 99761 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

CVE ID:CVE-2015-4020
Description:RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a "DNS hijack attack." NOTE: this vulnerability exists because to an incomplete fix for CVE-2015-3900.
Test IDs: 1.3.6.1.4.1.25623.1.0.120441   1.3.6.1.4.1.25623.1.0.120442   1.3.6.1.4.1.25623.1.0.120440  
Cross References: Common Vulnerability Exposure (CVE) ID: CVE-2015-4020
BugTraq ID: 75431
http://www.securityfocus.com/bid/75431
https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478
https://www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900/




© 1998-2024 E-Soft Inc. All rights reserved.