Overview

CVE-2015-3900, CVE-2015-4020 - Request Hijacking Vulnerability in RubyGems

Posted June 18, 2015
Assessed Risk Level: High

A vulnerability in RubyGems versions between 2.0 and 2.4.6 left clients open to a DNS hijack attack. An attacker could exploit this vulnerability to force a client to unknowingly download and install malicious gem content from an attacker-controller gem server.

For more information on the RubyGems vulnerability, refer to the RubyGems.org security announcement.

CVSSv2 Score: 8.3

Vector: AV:N/AC:M/Au:N/C:P/I:C/A:P

Status:

Affected Software Versions:

Puppet Enterprise 3.7.x, 3.8.0 (Puppet Server, Razor Server, Windows 64-bit Puppet Agent)
Puppet Agent 1.x
Puppet 3.7.x, 3.8.x (Windows 64-bit only)
Razor Server 1.0 and earlier

Resolved in:

Puppet Enterprise 3.8.1
Razor Server 1.0.1
Puppet Agent 1.1.1

Overview

CVE-2015-3900, CVE-2015-4020 - Request Hijacking Vulnerability in RubyGems

Posted June 18, 2015

Assessed Risk Level: High

Status: