Class: Dawn::Kb::CVE_2015_4020

# File 'lib/dawn/kb/cve_2015_4020.rb', line 11

def initialize
      title="RubyGems remote_fetcher.rb api_endpoint() Function Missing SRV Record Hostname Validation Request Hijacking"
      message = "RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API request, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a 'DNS hijack attack.'"
      super({
        :title=>title,
        :name=> "CVE-2015-4020",
        :cve=>"2015-4020",
        :osvdb=>"122162",
        :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
        :release_date => Date.new(2015, 8, 25),
        :cwe=>"",
        :owasp=>"A9",
        :applies=>["rails", "sinatra", "padrino"],
        :kind=>Dawn::KnowledgeBase::GEM_CHECK,
        :message=>message,
        :mitigation=>"Please upgrade rubygem to version 3.2.3 or later.",
        :aux_links=>[""]
       })

      self.safe_versions = [{:version=>['2.0.17', '2.2.5', '2.4.8']}]
end

Class: Dawn::Kb::CVE_2015_4020

Overview

Constant Summary

Constants included from BasicCheck

Instance Attribute Summary

Attributes included from GemCheck

Attributes included from BasicCheck

Instance Method Summary collapse

Methods included from GemCheck

Methods included from BasicCheck

Methods included from Utils

Constructor Details

#initialize ⇒ CVE_2015_4020

#initialize ⇒ `CVE_2015_4020`