CVEs-PoC/2017/CVE-2017-0902.md

### [CVE-2017-0902](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0902)
![](https://img.shields.io/static/v1?label=Product&message=RubyGems&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=Versions%20before%202.6.13%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=Reliance%20on%20Reverse%20DNS%20Resolution%20for%20a%20Security-Critical%20Action%20(CWE-350)&color=brightgreen)

### Description

RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.

### POC

#### Reference
- https://github.com/rubygems/rubygems/commit/8d91516fb7037ecfb27622f605dc40245e0f8d32
- https://hackerone.com/reports/218088

#### Github
- https://github.com/ARPSyndicate/cvemon