VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-wve4-sjev-euge

Essentials
Severities (25)
References (22)
Severity details (15)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-wve4-sjev-euge
Aliases	CVE-2015-3900 GHSA-wp3j-rvfp-624h OSV-122162
Summary	RubyGems vulnerable to DNS hijack attack RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (5)

CWE-350	Reliance on Reverse DNS Resolution for a Security-Critical Action
CWE-20	Improper Input Validation
CWE-345	Insufficient Verification of Data Authenticity
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
generic_textual	HIGH	http://blog.rubygems.org/2015/05/14/CVE-2015-3900.html
generic_textual	HIGH	http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163502.html
generic_textual	HIGH	http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163600.html
generic_textual	HIGH	http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164236.html
generic_textual	HIGH	http://rhn.redhat.com/errata/RHSA-2015-1657.html
epss	0.01655	https://api.first.org/data/v1/epss?cve=CVE-2015-3900
epss	0.01655	https://api.first.org/data/v1/epss?cve=CVE-2015-3900
epss	0.01655	https://api.first.org/data/v1/epss?cve=CVE-2015-3900
epss	0.01655	https://api.first.org/data/v1/epss?cve=CVE-2015-3900
epss	0.01655	https://api.first.org/data/v1/epss?cve=CVE-2015-3900
epss	0.01655	https://api.first.org/data/v1/epss?cve=CVE-2015-3900
epss	0.01655	https://api.first.org/data/v1/epss?cve=CVE-2015-3900
epss	0.01655	https://api.first.org/data/v1/epss?cve=CVE-2015-3900
epss	0.02408	https://api.first.org/data/v1/epss?cve=CVE-2015-3900
epss	0.02408	https://api.first.org/data/v1/epss?cve=CVE-2015-3900
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-wp3j-rvfp-624h
generic_textual	HIGH	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rubygems-update/CVE-2015-3900.yml
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2015-3900
generic_textual	HIGH	https://puppet.com/security/cve/CVE-2015-3900
generic_textual	HIGH	https://web.archive.org/web/20170331091241/https://puppet.com/security/cve/CVE-2015-3900
generic_textual	HIGH	https://web.archive.org/web/20200228055155/http://www.securityfocus.com/bid/75482
generic_textual	HIGH	https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-007/?fid=6356
generic_textual	HIGH	https://www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900
generic_textual	HIGH	http://www.openwall.com/lists/oss-security/2015/06/26/2
generic_textual	HIGH	http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html

Reference id	Reference type	URL
		http://blog.rubygems.org/2015/05/14/CVE-2015-3900.html
		http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163502.html
		http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163600.html
		http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164236.html
		http://rhn.redhat.com/errata/RHSA-2015-1657.html
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-3900.json
		https://api.first.org/data/v1/epss?cve=CVE-2015-3900
		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rubygems-update/CVE-2015-3900.yml
		https://nvd.nist.gov/vuln/detail/CVE-2015-3900
		https://puppet.com/security/cve/CVE-2015-3900
		https://web.archive.org/web/20170331091241/https://puppet.com/security/cve/CVE-2015-3900
		https://web.archive.org/web/20200228055155/http://www.securityfocus.com/bid/75482
		https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-007/?fid=6356
		https://www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900
		https://www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900/
		http://www.openwall.com/lists/oss-security/2015/06/26/2
		http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
		http://www.securityfocus.com/bid/75482
1236116		https://bugzilla.redhat.com/show_bug.cgi?id=1236116
790111		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=790111
GHSA-wp3j-rvfp-624h		https://github.com/advisories/GHSA-wp3j-rvfp-624h
RHSA-2015:1657		https://access.redhat.com/errata/RHSA-2015:1657

No exploits are available.

Exploit Prediction Scoring System (EPSS)

Percentile	0.81192
EPSS Score	0.01655
Published At	June 30, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-01T12:28:11.004088+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-wp3j-rvfp-624h/GHSA-wp3j-rvfp-624h.json	36.1.3