Search for packages
| purl | pkg:gem/rubygems-update@2.3 |
| Tags | Ghost |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-wve4-sjev-euge
Aliases: CVE-2015-3900 GHSA-wp3j-rvfp-624h OSV-122162 |
RubyGems vulnerable to DNS hijack attack RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack." |
Affected by 13 other vulnerabilities. |
|
VCID-zp1b-4nku-y7ht
Aliases: CVE-2015-4020 GHSA-qv62-xfj6-32xm |
RubyGems Improper Input Validation vulnerability RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.3.x before 2.4.8 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a "DNS hijack attack." NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3900. |
Affected by 12 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2025-07-01T16:58:27.054649+00:00 | Ruby Importer | Affected by | VCID-zp1b-4nku-y7ht | https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rubygems-update/CVE-2015-4020.yml | 36.1.3 |
| 2025-07-01T16:58:26.843757+00:00 | Ruby Importer | Affected by | VCID-wve4-sjev-euge | https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rubygems-update/CVE-2015-3900.yml | 36.1.3 |