WEB APPLICATION VULNERABILITIES Standard & Premium

RubyGems 7PK - Security Features Vulnerability (CVE-2015-3900)

Description

RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."

Remediation

References

Related Vulnerabilities

WordPress Plugin Contest Gallery-Photo Contest for WordPress Cross-Site Scripting (14.1.7)

WordPress Plugin VK Gallery TimThumb Arbitrary File Upload (1.1.0)

Joomla! Core 3.x.x SQL Injection (3.0.0 - 3.4.6)

PHP Improper Link Resolution Before File Access ('Link Following') Vulnerability (CVE-2011-0441)

Moodle Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-0793)

Severity

Medium

Classification

CVE-2015-3900

Tags

Missing Update Known Vulnerabilities