VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-zp1b-4nku-y7ht

Essentials
Severities (23)
References (18)
Severity details (14)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-zp1b-4nku-y7ht
Aliases	CVE-2015-4020 GHSA-qv62-xfj6-32xm
Summary	RubyGems Improper Input Validation vulnerability RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.3.x before 2.4.8 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a "DNS hijack attack." NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3900.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-20	Improper Input Validation
CWE-345	Insufficient Verification of Data Authenticity
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
generic_textual	MODERATE	http://blog.rubygems.org/2015/06/08/2.2.5-released.html
generic_textual	MODERATE	http://blog.rubygems.org/2015/06/08/2.4.8-released.html
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2015-4020
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2015-4020
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2015-4020
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2015-4020
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2015-4020
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2015-4020
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2015-4020
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2015-4020
epss	0.00524	https://api.first.org/data/v1/epss?cve=CVE-2015-4020
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-qv62-xfj6-32xm
generic_textual	MODERATE	https://github.com/rubygems/rubygems
generic_textual	MODERATE	https://github.com/rubygems/rubygems/commit/5c7bfb5
generic_textual	MODERATE	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rubygems-update/CVE-2015-4020.yml
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2015-4020
generic_textual	MODERATE	https://puppet.com/security/cve/CVE-2015-3900
generic_textual	MODERATE	https://web.archive.org/web/20200228084212/http://www.securityfocus.com/bid/75431
generic_textual	MODERATE	https://web.archive.org/web/20200228085830/https://puppet.com/security/cve/CVE-2015-3900
generic_textual	MODERATE	https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478
generic_textual	MODERATE	https://www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900
generic_textual	MODERATE	http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
generic_textual	MODERATE	http://www.securityfocus.com/bid/75431

Reference id	Reference type	URL
		http://blog.rubygems.org/2015/06/08/2.2.5-released.html
		http://blog.rubygems.org/2015/06/08/2.4.8-released.html
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-4020.json
		https://api.first.org/data/v1/epss?cve=CVE-2015-4020
		https://github.com/rubygems/rubygems
		https://github.com/rubygems/rubygems/commit/5c7bfb5
		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rubygems-update/CVE-2015-4020.yml
		https://nvd.nist.gov/vuln/detail/CVE-2015-4020
		https://puppet.com/security/cve/CVE-2015-3900
		https://web.archive.org/web/20200228084212/http://www.securityfocus.com/bid/75431
		https://web.archive.org/web/20200228085830/https://puppet.com/security/cve/CVE-2015-3900
		https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478
		https://www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900
		https://www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900/
		http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
		http://www.securityfocus.com/bid/75431
1250109		https://bugzilla.redhat.com/show_bug.cgi?id=1250109
GHSA-qv62-xfj6-32xm		https://github.com/advisories/GHSA-qv62-xfj6-32xm

No exploits are available.

Exploit Prediction Scoring System (EPSS)

Percentile	0.65956
EPSS Score	0.00524
Published At	June 30, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-01T12:26:55.115065+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qv62-xfj6-32xm/GHSA-qv62-xfj6-32xm.json	36.1.3