GHSA-wp3j-rvfp-624h

Suggest an improvement
Source
https://github.com/advisories/GHSA-wp3j-rvfp-624h
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-wp3j-rvfp-624h/GHSA-wp3j-rvfp-624h.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-wp3j-rvfp-624h
Aliases
Published
2022-05-14T01:08:49Z
Modified
2024-02-15T05:32:15.676787Z
Summary
RubyGems vulnerable to DNS hijack attack
Details

RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."

References

Affected packages

RubyGems / rubygems-update

Package

Name
rubygems-update
Purl
pkg:gem/rubygems-update

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.0.16

Affected versions

2.*

2.0.0
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.10
2.0.11
2.0.12
2.0.13
2.0.14
2.0.15

RubyGems / rubygems-update

Package

Name
rubygems-update
Purl
pkg:gem/rubygems-update

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.2.0
Fixed
2.2.4

Affected versions

2.*

2.2.0
2.2.1
2.2.2
2.2.3

RubyGems / rubygems-update

Package

Name
rubygems-update
Purl
pkg:gem/rubygems-update

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.4.0
Fixed
2.4.7

Affected versions

2.*

2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6