5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
ruby is vulnerable to man-in-the-middle attack. A flaw was found in a way rubygems verified the API endpoint hostname retrieved through a DNS SRV record. A man-in-the-middle attacker could use this flaw to force a client to download content from an untrusted domain.
CPE | Name | Operator | Version |
---|---|---|---|
rh-ruby22-ruby | eq | 2.2.2__11.el6 |
blog.rubygems.org/2015/05/14/CVE-2015-3900.html
lists.fedoraproject.org/pipermail/package-announce/2015-August/163502.html
lists.fedoraproject.org/pipermail/package-announce/2015-August/163600.html
lists.fedoraproject.org/pipermail/package-announce/2015-August/164236.html
rhn.redhat.com/errata/RHSA-2015-1657.html
www.openwall.com/lists/oss-security/2015/06/26/2
www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
www.securityfocus.com/bid/75482
access.redhat.com/security/updates/classification/#important
puppet.com/security/cve/CVE-2015-3900
rhn.redhat.com/errata/RHSA-2015-1657.html
www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-007/?fid=6356
www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900/