CVE-2015-3900

Public on 2015-06-16
Modified on 2024-05-16
Description
A flaw was found in a way rubygems verified the API endpoint hostname retrieved through a DNS SRV record. A man-in-the-middle attacker could use this flaw to force a client to download content from an untrusted domain.
Severity
Important severity
Important
CVSS v3 Base Score
8.3
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 1 ruby No Fix Planned
Amazon Linux 2 - Core ruby Not Affected
Amazon Linux 1 ruby18 No Fix Planned
Amazon Linux 1 ruby19 No Fix Planned
Amazon Linux 1 ruby20 2015-06-16 ALAS-2015-547 Fixed
Amazon Linux 1 ruby21 2015-06-16 ALAS-2015-548 Fixed
Amazon Linux 1 ruby22 2015-06-16 ALAS-2015-549 Fixed
Amazon Linux 1 ruby23 No Fix Planned
Amazon Linux 1 ruby24 No Fix Planned
Amazon Linux 2023 ruby3.2 Not Affected

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 8.3 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
NVD CVSSv2 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N