CVE-2015-3900, CVE-2015-4020 - Request Hijacking Vulnerability in RubyGems

  • Posted June 18, 2015

  • Assessed Risk Level: High

A vulnerability in RubyGems versions between 2.0 and 2.4.6 left clients open to a DNS hijack attack. An attacker could exploit this vulnerability to force a client to unknowingly download and install malicious gem content from an attacker-controller gem server.

For more information on the RubyGems vulnerability, refer to the security announcement.

CVSSv2 Score: 8.3

Vector: AV:N/AC:M/Au:N/C:P/I:C/A:P


Affected Software Versions:

  • Puppet Enterprise 3.7.x, 3.8.0 (Puppet Server, Razor Server, Windows 64-bit Puppet Agent)
  • Puppet Agent 1.x
  • Puppet 3.7.x, 3.8.x (Windows 64-bit only)
  • Razor Server 1.0 and earlier

Resolved in:

  • Puppet Enterprise 3.8.1
  • Razor Server 1.0.1
  • Puppet Agent 1.1.1