CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 1CVE-2019-16892 – cfme: rubygem-rubyzip denial of service via crafted ZIP file
https://notcve.org/view.php?id=CVE-2019-16892
25 Sep 2019 — In Rubyzip before 1.3.0, a crafted ZIP file can bypass application checks on ZIP entry sizes because data about the uncompressed size can be spoofed. This allows attackers to cause a denial of service (disk consumption). En Rubyzip versiones anteriores a 1.3.0, un archivo ZIP diseñado puede omitir las comprobaciones de la aplicación en los tamaños de entrada ZIP porque los datos sobre el tamaño sin comprimir pueden ser falsificados. Esto permite a atacantes causar una denegación de servicio (consumo de disc... • https://access.redhat.com/errata/RHBA-2019:4047 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 1CVE-2018-1000544 – rubyzip: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file
https://notcve.org/view.php?id=CVE-2018-1000544
26 Jun 2018 — rubyzip gem rubyzip version 1.2.1 and earlier contains a Directory Traversal vulnerability in Zip::File component that can result in write arbitrary files to the filesystem. This attack appear to be exploitable via If a site allows uploading of .zip files , an attacker can upload a malicious file that contains symlinks or files with absolute pathnames "../" to write arbitrary files to the filesystem.. rubyzip gem rubyzip en versiones 1.2.1 y anteriores contiene una vulnerabilidad de salto de directorio en e... • https://access.redhat.com/errata/RHSA-2018:3466 • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2017-5946 – Debian Security Advisory 3801-1
https://notcve.org/view.php?id=CVE-2017-5946
27 Feb 2017 — The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has a directory traversal vulnerability. If a site allows uploading of .zip files, an attacker can upload a malicious file that uses "../" pathname substrings to write arbitrary files to the filesystem. El componente Zip::File en la gema rubyzip en versiones anteriores a 1.2.1 para Ruby tiene una vulnerabilidad de salto de directorio. Si un sitio permite la carga de archivos .zip, un atacante puede cargar un archivo malicioso que utiliza subca... • http://www.debian.org/security/2017/dsa-3801 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •