Home ▼ Bookkeeping
Online ▼ Security
Audits ▼
Managed
DNS ▼
About
Order
FAQ
Acceptable Use Policy
Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password Network
Monitor ▼
Enterprise Package
Advanced Package
Standard Package
Free Trial
FAQ
Price/Feature Summary
Order/Renew
Examples
Configure/Status Alert Profiles | |||
CVE ID: | CVE-2015-4020 |
Description: | RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a "DNS hijack attack." NOTE: this vulnerability exists because to an incomplete fix for CVE-2015-3900. |
Test IDs: | 1.3.6.1.4.1.25623.1.0.120441 1.3.6.1.4.1.25623.1.0.120442 1.3.6.1.4.1.25623.1.0.120440 |
Cross References: |
Common Vulnerability Exposure (CVE) ID: CVE-2015-4020 BugTraq ID: 75431 http://www.securityfocus.com/bid/75431 https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478 https://www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900/ |