Class: Dawn::Kb::CVE_2015_4020

Inherits:
Object
  • Object
show all
Includes:
GemCheck
Defined in:
lib/dawn/kb/cve_2015_4020.rb

Overview

Automatically created with rake on 2015-12-02

Constant Summary

Constants included from BasicCheck

BasicCheck::ALLOWED_FAMILIES

Instance Attribute Summary

Attributes included from GemCheck

#my_gem_version, #safe_versions

Attributes included from BasicCheck

#applies, #aux_links, #check_family, #cve, #cvss, #cwe, #debug, #evidences, #fixes_version, #kind, #message, #mitigated, #name, #osvdb, #owasp, #priority, #release_date, #remediation, #ruby_version, #ruby_vulnerable_versions, #severity, #status, #target_version, #title

Instance Method Summary collapse

Methods included from GemCheck

#take_gem_version_from_system, #vuln?

Methods included from BasicCheck

#applies_to?, #cve_link, #cvss_score, families, #family, #family=, #lint, #mitigated?, #nvd_link, #osvdb_link, #rubysec_advisories_link

Methods included from Utils

#__debug_me_and_return, #debug_me, #debug_me_and_return_false, #debug_me_and_return_true

Constructor Details

#initializeCVE_2015_4020

Returns a new instance of CVE_2015_4020.


11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# File 'lib/dawn/kb/cve_2015_4020.rb', line 11

def initialize
      title="RubyGems remote_fetcher.rb api_endpoint() Function Missing SRV Record Hostname Validation Request Hijacking"
      message = "RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API request, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a 'DNS hijack attack.'"
      super({
        :title=>title,
        :name=> "CVE-2015-4020",
        :cve=>"2015-4020",
        :osvdb=>"122162",
        :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
        :release_date => Date.new(2015, 8, 25),
        :cwe=>"",
        :owasp=>"A9",
        :applies=>["rails", "sinatra", "padrino"],
        :kind=>Dawn::KnowledgeBase::GEM_CHECK,
        :message=>message,
        :mitigation=>"Please upgrade rubygem to version 3.2.3 or later.",
        :aux_links=>[""]
       })

      self.safe_versions = [{:version=>['2.0.17', '2.2.5', '2.4.8']}]
end