suse · CVE-2015-3900

Quick triage

Priority: medium Published: 2021-05-30 13:30:14 UTC Updated: 2026-04-18 18:18:57 UTC

View at Official suse advisory, NVD, CVE.org · CVE detail

Freshness: upstream tracker timestamp is available; use API updated time as primary recency signal.

Tracker summary

CVE-2015-3900 severity moderate: SUSE including 39 source package names (4.0.0:libruby2_1-2_1-2.1.9-15.1, 4.0.0:ruby2.1-2.1.9-15.1, …), 306 product×package rows across 83 product lines (Container caasp/v4/velum, HPE Helion OpenStack 8, … (83 product lines)): Known Not Affected 180, Fixed 126.

Description:

RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."

cvelogic Threat Intelligence