class Dawn::Kb::CVE_2015_4020
Automatically created with rake on 2015-12-02
Public Class Methods
new()
click to toggle source
Calls superclass method
Dawn::Kb::GemCheck::new
# File lib/dawn/kb/cve_2015_4020.rb, line 11 def initialize title="RubyGems remote_fetcher.rb api_endpoint() Function Missing SRV Record Hostname Validation Request Hijacking" message = "RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API request, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a 'DNS hijack attack.'" super({ :title=>title, :name=> "CVE-2015-4020", :cve=>"2015-4020", :osvdb=>"122162", :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N", :release_date => Date.new(2015, 8, 25), :cwe=>"", :owasp=>"A9", :applies=>["rails", "sinatra", "padrino"], :kind=>Dawn::KnowledgeBase::GEM_CHECK, :message=>message, :mitigation=>"Please upgrade rubygem to version 3.2.3 or later.", :aux_links=>[""] }) self.safe_versions = [{:version=>['2.0.17', '2.2.5', '2.4.8']}] end