CVE-2019-16892
cfme: rubygem-rubyzip denial of service via crafted ZIP file
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
In Rubyzip before 1.3.0, a crafted ZIP file can bypass application checks on ZIP entry sizes because data about the uncompressed size can be spoofed. This allows attackers to cause a denial of service (disk consumption).
En Rubyzip versiones anteriores a 1.3.0, un archivo ZIP diseñado puede omitir las comprobaciones de la aplicación en los tamaños de entrada ZIP porque los datos sobre el tamaño sin comprimir pueden ser falsificados. Esto permite a atacantes causar una denegación de servicio (consumo de disco).
A vulnerability in Rubyzip, versions prior to 1.3.0, allows a crafted ZIP file to bypass application checks on ZIP entry sizes. This allows an attacker to spoof data regarding the uncompressed size of the ZIP file, causing a denial of service due to disk consumption. Availability of the system is the highest threat.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-09-25 CVE Reserved
- 2019-09-25 CVE Published
- 2024-08-05 CVE Updated
- 2024-08-05 First Exploit
- 2024-09-18 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-400: Uncontrolled Resource Consumption
CAPEC
References (9)
URL | Tag | Source |
---|
URL | Date | SRC |
---|---|---|
https://github.com/rubyzip/rubyzip/pull/403 | 2024-08-05 |
URL | Date | SRC |
---|---|---|
https://github.com/rubyzip/rubyzip/commit/d65fe7bd283ec94f9d6dc7605f61a6b0dd00f55e | 2023-12-28 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Rubyzip Project Search vendor "Rubyzip Project" | Rubyzip Search vendor "Rubyzip Project" for product "Rubyzip" | < 1.3.0 Search vendor "Rubyzip Project" for product "Rubyzip" and version " < 1.3.0" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 29 Search vendor "Fedoraproject" for product "Fedora" and version "29" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 30 Search vendor "Fedoraproject" for product "Fedora" and version "30" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 31 Search vendor "Fedoraproject" for product "Fedora" and version "31" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Cloudforms Search vendor "Redhat" for product "Cloudforms" | 4.7 Search vendor "Redhat" for product "Cloudforms" and version "4.7" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Cloudforms Search vendor "Redhat" for product "Cloudforms" | 5.11 Search vendor "Redhat" for product "Cloudforms" and version "5.11" | - |
Affected
|