PT-2019-14849 · Ruby · Rubyzip

Published

2019-09-25

·

Updated

2024-06-15

·

CVE-2019-16892

CVSS v2.0

7.1

High

VectorAV:N/AC:M/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions Rubyzip versions prior to 1.3.0
Description A crafted ZIP file can bypass application checks on ZIP entry sizes because data about the uncompressed size can be spoofed, allowing attackers to cause a denial of service (disk consumption).
Recommendations For versions prior to 1.3.0, update to version 1.3.0 or later to resolve the issue. As a temporary workaround, consider restricting the handling of ZIP files from untrusted sources to minimize the risk of exploitation.

Exploit

Fix

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

CVE-2019-16892
GHSA-5M2V-HC64-56H6
OESA-2022-1542
OPENSUSE-SU-2024:11491-1
RHSA-2019:4201

Affected Products

Rubyzip