CVE-2015-3900, CVE-2015-4020 - Request Hijacking Vulnerability in RubyGems
Posted June 18, 2015
Assessed Risk Level: High
A vulnerability in RubyGems versions between 2.0 and 2.4.6 left clients open to a DNS hijack attack. An attacker could exploit this vulnerability to force a client to unknowingly download and install malicious gem content from an attacker-controller gem server.
For more information on the RubyGems vulnerability, refer to the RubyGems.org security announcement.
CVSSv2 Score: 8.3
Affected Software Versions:
- Puppet Enterprise 3.7.x, 3.8.0 (Puppet Server, Razor Server, Windows 64-bit Puppet Agent)
- Puppet Agent 1.x
- Puppet 3.7.x, 3.8.x (Windows 64-bit only)
- Razor Server 1.0 and earlier
- Puppet Enterprise 3.8.1
- Razor Server 1.0.1
- Puppet Agent 1.1.1