Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-ee8m-jtmh-dfbs
Vulnerability ID VCID-ee8m-jtmh-dfbs
Aliases CVE-2015-3900
GHSA-wp3j-rvfp-624h
OSV-122162
Summary 7PK - Security Features RubyGems does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (5)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-350 Reliance on Reverse DNS Resolution for a Security-Critical Action
CWE-20 Improper Input Validation
CWE-345 Insufficient Verification of Data Authenticity
System Score Found at
generic_textual HIGH http://blog.rubygems.org/2015/05/14/CVE-2015-3900.html
generic_textual HIGH http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163502.html
generic_textual HIGH http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163600.html
generic_textual HIGH http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164236.html
generic_textual HIGH http://rhn.redhat.com/errata/RHSA-2015-1657.html
epss 0.02401 https://api.first.org/data/v1/epss?cve=CVE-2015-3900
epss 0.02401 https://api.first.org/data/v1/epss?cve=CVE-2015-3900
epss 0.02401 https://api.first.org/data/v1/epss?cve=CVE-2015-3900
epss 0.02401 https://api.first.org/data/v1/epss?cve=CVE-2015-3900
epss 0.02401 https://api.first.org/data/v1/epss?cve=CVE-2015-3900
epss 0.02401 https://api.first.org/data/v1/epss?cve=CVE-2015-3900
epss 0.02401 https://api.first.org/data/v1/epss?cve=CVE-2015-3900
epss 0.02401 https://api.first.org/data/v1/epss?cve=CVE-2015-3900
epss 0.02401 https://api.first.org/data/v1/epss?cve=CVE-2015-3900
epss 0.02401 https://api.first.org/data/v1/epss?cve=CVE-2015-3900
epss 0.02401 https://api.first.org/data/v1/epss?cve=CVE-2015-3900
epss 0.02401 https://api.first.org/data/v1/epss?cve=CVE-2015-3900
epss 0.02401 https://api.first.org/data/v1/epss?cve=CVE-2015-3900
epss 0.02401 https://api.first.org/data/v1/epss?cve=CVE-2015-3900
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-wp3j-rvfp-624h
generic_textual HIGH https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rubygems-update/CVE-2015-3900.yml
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2015-3900
generic_textual HIGH https://puppet.com/security/cve/CVE-2015-3900
generic_textual HIGH https://web.archive.org/web/20170331091241/https://puppet.com/security/cve/CVE-2015-3900
generic_textual HIGH https://web.archive.org/web/20200228055155/http://www.securityfocus.com/bid/75482
generic_textual HIGH https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-007/?fid=6356
generic_textual HIGH https://www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900
generic_textual HIGH http://www.openwall.com/lists/oss-security/2015/06/26/2
generic_textual HIGH http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
Reference id Reference type URL
http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163502.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163600.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164236.html
http://rhn.redhat.com/errata/RHSA-2015-1657.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-3900.json
https://api.first.org/data/v1/epss?cve=CVE-2015-3900
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rubygems-update/CVE-2015-3900.yml
https://web.archive.org/web/20170331091241/https://puppet.com/security/cve/CVE-2015-3900
https://web.archive.org/web/20200228055155/http://www.securityfocus.com/bid/75482
https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-007/?fid=6356
https://www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900
https://www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900/
http://www.openwall.com/lists/oss-security/2015/06/26/2
http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
http://www.securityfocus.com/bid/75482
1236116 https://bugzilla.redhat.com/show_bug.cgi?id=1236116
CVE-2015-3900 https://nvd.nist.gov/vuln/detail/CVE-2015-3900
CVE-2015-3900 https://puppet.com/security/cve/CVE-2015-3900
CVE-2015-3900.HTML http://blog.rubygems.org/2015/05/14/CVE-2015-3900.html
GHSA-wp3j-rvfp-624h https://github.com/advisories/GHSA-wp3j-rvfp-624h
RHSA-2015:1657 https://access.redhat.com/errata/RHSA-2015:1657
No exploits are available.
Exploit Prediction Scoring System (EPSS)
Percentile 0.84993
EPSS Score 0.02401
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:46:57.654941+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rubygems-update/CVE-2015-3900.yml 38.0.0