RubyGems DNS request hijacking vulnerability
Published: August 29, 2017
SECURITY IDENTIFIERS
- CVE: CVE-2017-0902 (NVD)
- GHSA: GHSA-73w7-6w9g-gc8w
- Vendor Advisory: https://blog.rubygems.org/2017/08/27/2.6.13-released.html
GEM
LIBRARY
SEVERITY
PATCHED VERSIONS
>= 2.4.5.3
>= 2.5.2.1
>= 2.6.13
DESCRIPTION
RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to down load and install gems from a server that the attacker controls.