VulnerableCode Package Details - pkg:gem/rubygems-update@2.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-ee8m-jtmh-dfbs Aliases: CVE-2015-3900 GHSA-wp3j-rvfp-624h OSV-122162	7PK - Security Features RubyGems does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."	2.2.4 Affected by 7 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.4.7 Affected by 13 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-k2ga-fgvp-5qc7 Aliases: CVE-2013-4287 GHSA-9j7m-rjqx-48vh OSV-97163	Cryptographic Issues Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb in RubyGems allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression.	2.1.1 Affected by 8 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-zb9m-getz-3keh Aliases: CVE-2015-4020 GHSA-qv62-xfj6-32xm	Improper Input Validation RubyGems does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a "DNS hijack attack." NOTE: this vulnerability exists because to an incomplete fix for CVE-2015-3900.	2.2.5 Affected by 7 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.4.8 Affected by 12 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-ee8m-jtmh-dfbs
Aliases:
CVE-2015-3900
GHSA-wp3j-rvfp-624h
OSV-122162

7PK - Security Features RubyGems does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."

2.2.4
Affected by 7 other vulnerabilities.

2.4.7
Affected by 13 other vulnerabilities.

VCID-k2ga-fgvp-5qc7
Aliases:
CVE-2013-4287
GHSA-9j7m-rjqx-48vh
OSV-97163

Cryptographic Issues Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb in RubyGems allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression.

2.1.1
Affected by 8 other vulnerabilities.

VCID-zb9m-getz-3keh
Aliases:
CVE-2015-4020
GHSA-qv62-xfj6-32xm

Improper Input Validation RubyGems does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a "DNS hijack attack." NOTE: this vulnerability exists because to an incomplete fix for CVE-2015-3900.

2.2.5
Affected by 7 other vulnerabilities.

2.4.8
Affected by 12 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T15:18:35.385550+00:00	Ruby Importer	Affected by	VCID-zb9m-getz-3keh	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rubygems-update/CVE-2015-4020.yml	38.0.0
2026-04-01T15:18:35.148718+00:00	Ruby Importer	Affected by	VCID-k2ga-fgvp-5qc7	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rubygems-update/CVE-2013-4287.yml	38.0.0
2026-04-01T15:18:35.063279+00:00	Ruby Importer	Affected by	VCID-ee8m-jtmh-dfbs	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rubygems-update/CVE-2015-3900.yml	38.0.0