DEBIAN-CVE-2015-3900

DEBIAN-CVE-2015-3900 PUBLISHED

RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."

Affected Products

Vendor	Product	Versions
Debian:14	jruby	0, 0, 0
Debian:12	jruby	0, 0, 0
Debian:13	jruby	0, 0, 0

Timeline

Jun 24, 2015 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2015-3900 advisory

Open in Interactive Console →