[RUBYSEC:RUBYGEMS-UPDATE-2017-0902] RubyGems DNS request hijacking vulnerability

Severity High

Affected Packages 3

Fixed Packages 3

CVEs 1

RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking
vulnerability that allows a MITM attacker to force the RubyGems client to
down load and install gems from a server that the attacker controls.

Package	Affected Version
pkg:gem/rubygems-update	< 2.4.5.3
pkg:gem/rubygems-update	< 2.5.2.1
pkg:gem/rubygems-update	< 2.6.13

Package	Fixed Version
pkg:gem/rubygems-update	>= 2.4.5.3
pkg:gem/rubygems-update	>= 2.5.2.1
pkg:gem/rubygems-update	>= 2.6.13

ID

RUBYSEC:RUBYGEMS-UPDATE-2017-0902

Severity

high

URL

https://blog.rubygems.org/2017/08/27/2.6.13-released.html

Published

2017-08-29T00:00:00
(7 years ago)

Modified

2023-05-03T23:49:55
(16 months ago)

Rights

RubySec Security Team

Other Advisories

Source	# ID	Name	URL
Security Advisory	GHSA-73w7-6w9g-gc8w		https://github.com/advisories/GHSA-73w7-6w9g-gc8w

Type	Package URL	Name / Product	Version
Fixed	pkg:gem/rubygems-update	rubygems-update	>= 2.4.5.3
Affected	pkg:gem/rubygems-update	rubygems-update	< 2.4.5.3
Fixed	pkg:gem/rubygems-update	rubygems-update	>= 2.5.2.1
Affected	pkg:gem/rubygems-update	rubygems-update	< 2.5.2.1
Fixed	pkg:gem/rubygems-update	rubygems-update	>= 2.6.13
Affected	pkg:gem/rubygems-update	rubygems-update	< 2.6.13

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date