Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: rubyzip
date: 2019-09-12
url: https://github.com/rubyzip/rubyzip/pull/403
cve: 2019-16892
title: Denial of Service in rubyzip ("zip bombs")
description: |
  In Rubyzip before 1.3.0, a crafted ZIP file can bypass application
  checks on ZIP entry sizes because data about the uncompressed size
  can be spoofed. This allows attackers to cause a denial of service
  (disk consumption).
patched_versions:
- ">= 1.3.0"