N/A

RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a "DNS hijack attack." NOTE: this vulnerability exists because to an incomplete fix for CVE-2015-3900.

N/A

N/A

RubyGems 权限许可和访问控制漏洞

RubyGems是RubyGems组织的一款Ruby程序包管理器，它主要用于发布和管理Ruby程序包。 RubyGems中存在安全漏洞，该漏洞源于程序提取gem或创建API请求时没有正确验证域名。远程攻击者可借助特制的DNS SRV记录利用该漏洞将请求重定向到任意域。以下版本受到影响：RubyGems 2.0.17之前2.0.x版本，2.2.5之前2.2.x版本，2.4.8之前2.4.x版本。

N/A

N/A