PT-2015-6338 · Ruby+2 · Rubygems+2

Jonathan Claudius

Published

2015-06-24

Updated

2025-09-29

CVE-2015-3900

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions RubyGems versions 2.0.x through 2.0.16 RubyGems versions 2.2.x through 2.2.4 RubyGems versions 2.4.x through 2.4.7

Description The issue allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, which is referred to as a "DNS hijack attack." This occurs because the hostname is not validated when fetching gems or making API requests.

Recommendations For RubyGems versions 2.0.x through 2.0.16, update to version 2.0.16 or later. For RubyGems versions 2.2.x through 2.2.4, update to version 2.2.4 or later. For RubyGems versions 2.4.x through 2.4.7, update to version 2.4.7 or later.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-350CWE-254CWE-20

Related Identifiers

ALSA-2025_16880

ALT-PU-2016-2061

CVE-2015-3900

GHSA-QV62-XFJ6-32XM

GHSA-WP3J-RVFP-624H

MGASA-2015-0345

OPENSUSE-SU-2017_1128-1

OPENSUSE-SU-2024:10090-1

OPENSUSE-SU-2024:10481-1

RHSA-2015:1657

SUSE-SU-2017:1067-1

Affected Products

Alt Linux

Rubygems

Suse

PT-2015-6338 · Ruby+2 · Rubygems+2

CVE-2015-3900

Weakness Enumeration

Related Identifiers

Affected Products

References · 51