Vulnerability Change Records for CVE-2015-4020

Change History

CVE Modified by MITRE 12/08/2017 9:29:04 PM

Action Type Old Value New Value
Added Reference

								
							
							
						
https://puppet.com/security/cve/CVE-2015-3900 [No Types Assigned]

CVE Modified by Source 10/17/2016 11:47:06 PM

Action Type Old Value New Value
Added Reference

								
							
							
						
http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html

Modified Analysis 10/19/2016 3:12:53 PM

Action Type Old Value New Value
Changed CPE Configuration
Configuration 1
     OR
          *cpe:2.3:a:rubygems:rubygems:2.0.0:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.0:preview2:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.0:preview2.1:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.0:preview2.2:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.0:rc1:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.0:rc2:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.1:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.10:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.11:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.12:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.13:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.14:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.15:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.16:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.2:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.3:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.4:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.5:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.6:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.7:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.8:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.9:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.2.0:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.2.1:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.2.2:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.2.3:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.2.4:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.4.0:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.4.1:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.4.2:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.4.3:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.4.4:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.4.5:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.4.6:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.4.7:*:*:*:*:*:*:*
Configuration 1
     OR
          *cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*
Configuration 2
     OR
          *cpe:2.3:a:rubygems:rubygems:2.0.0:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.0:preview2:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.0:preview2.1:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.0:preview2.2:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.0:rc1:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.0:rc2:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.1:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.10:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.11:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.12:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.13:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.14:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.15:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.16:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.2:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.3:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.4:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.5:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.6:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.7:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.8:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.9:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.2.0:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.2.1:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.2.2:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.2.3:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.2.4:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.4.0:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.4.1:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.4.2:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.4.3:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.4.4:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.4.5:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.4.6:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.4.7:*:*:*:*:*:*:*
Changed Reference Type
http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html No Types Assigned
http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html Third Party Advisory
Changed Reference Type
https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478 No Types Assigned
https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478 Third Party Advisory
Changed Reference Type
https://www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900/ No Types Assigned
https://www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900/ Third Party Advisory

CVE Modified by Source 4/05/2016 9:59:10 PM

Action Type Old Value New Value
Changed Description
RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API request, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a "DNS hijack attack." NOTE: this vulnerability exists because to an incomplete fix for CVE-2015-3900.
RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a "DNS hijack attack." NOTE: this vulnerability exists because to an incomplete fix for CVE-2015-3900.

Modified Analysis 8/26/2015 12:53:39 PM

Action Type Old Value New Value
Added CPE Configuration

								
							
							
						
Configuration 1
     OR
          *cpe:2.3:a:rubygems:rubygems:2.0.0:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.0:preview2:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.0:preview2.1:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.0:preview2.2:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.0:rc1:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.0:rc2:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.1:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.10:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.11:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.12:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.13:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.14:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.15:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.16:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.2:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.3:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.4:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.5:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.6:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.7:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.8:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.9:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.2.0:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.2.1:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.2.2:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.2.3:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.2.4:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.4.0:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.4.1:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.4.2:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.4.3:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.4.4:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.4.5:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.4.6:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.4.7:*:*:*:*:*:*:*
Added CVSS V2

								
							
							
						
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
Added CWE

								
							
							
						
CWE-20
Changed Reference Type
http://blog.rubygems.org/2015/06/08/2.2.5-released.html No Types Assigned
http://blog.rubygems.org/2015/06/08/2.2.5-released.html Advisory
Changed Reference Type
http://blog.rubygems.org/2015/06/08/2.4.8-released.html No Types Assigned
http://blog.rubygems.org/2015/06/08/2.4.8-released.html Advisory

Initial CVE Analysis 8/26/2015 9:18:46 AM

Action Type Old Value New Value

CVE Translated 4/06/2016 6:45:01 AM

Action Type Old Value New Value
Added Translation

								
							
							
						
RubyGems 2.0.x en versiones anteriores a 2.0.17, 2.2.x en versiones anteriores a 2.2.5 y 2.4.x en versiones anteriores a 2.4.8 no valida el nombre del host cuando recupera gemas o hace peticiones API, lo que permite a atacantes remotos redirigir peticiones a dominios arbitrarios mediante un registro DNS SRV con un dominio que está seguido del nombre del dominio original, también conocido como un "atacque de secuestro DNS". NOTA: esta vulnerabilidad existe debido a una solución incompleta para CVE-2015-3900.
Removed Translation
Vulnerabilidad en RubyGems 2.0.x en versiones anteriores a 2.0.17, 2.2.x en versiones anteriores a 2.2.5 y 2.4.x en versiones anteriores a 2.4.8, no valida correctamente el hostname cuando se recuperan gemas o se hacen peticiones a la API, lo cual permite a atacantes remotos redirigir las peticiones a dominios arbitrarios a través de registros DNS SRV manipulados con un dominio que se añade como sufijo con el nombre de dominio original, también conocido como 'DNS hijack attack'. NOTA: esta vulnerabilidad existe debido a una solución incompleta para CVE-2015-3900.

								
						

CVE Modified by MITRE 12/05/2016 10:1:52 PM

Action Type Old Value New Value
Added Reference

								
							
							
						
http://www.securityfocus.com/bid/75431 [No Types Assigned]

Initial CVE Analysis 10/19/2016 12:29:19 PM

Action Type Old Value New Value
Changed CPE Configuration
Configuration 1
     OR
          *cpe:2.3:a:rubygems:rubygems:2.0.0:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.0:preview2:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.0:preview2.1:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.0:preview2.2:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.0:rc1:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.0:rc2:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.1:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.10:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.11:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.12:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.13:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.14:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.15:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.16:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.2:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.3:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.4:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.5:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.6:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.7:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.8:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.9:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.2.0:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.2.1:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.2.2:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.2.3:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.2.4:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.4.0:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.4.1:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.4.2:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.4.3:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.4.4:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.4.5:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.4.6:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.4.7:*:*:*:*:*:*:*
Configuration 1
     OR
          *cpe:2.3:a:rubygems:rubygems:2.0.0:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.0:preview2:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.0:preview2.1:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.0:preview2.2:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.0:rc1:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.0:rc2:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.1:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.10:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.11:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.12:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.13:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.14:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.15:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.16:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.2:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.3:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.4:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.5:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.6:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.7:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.8:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.0.9:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.2.0:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.2.1:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.2.2:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.2.3:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.2.4:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.4.0:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.4.1:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.4.2:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.4.3:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.4.4:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.4.5:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.4.6:*:*:*:*:*:*:*
          *cpe:2.3:a:rubygems:rubygems:2.4.7:*:*:*:*:*:*:*
Configuration 2
     OR
          *cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*
Changed Reference Type
http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html No Types Assigned
http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html Third Party Advisory