CVE-2015-4020

Name of the Vulnerable Software and Affected Versions RubyGems versions 2.0.x through 2.0.16 RubyGems versions 2.2.x through 2.2.4 RubyGems versions 2.3.x through 2.4.7

Description The issue allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, also known as a "DNS hijack attack". This occurs because RubyGems does not validate the hostname when fetching gems or making API requests.

Recommendations For RubyGems versions 2.0.x through 2.0.16, update to version 2.0.17 or later. For RubyGems versions 2.2.x through 2.2.4, update to version 2.2.5 or later. For RubyGems versions 2.3.x through 2.4.7, update to version 2.4.8 or later.