CVE-2019-16892 (High) detected in rubyzip-1.2.4.gem

Question

CVE-2019-16892 (High) detected in rubyzip-1.2.4.gem

mend-bolt-for-github opened this issue 5 years ago · 0 comments

mend-bolt-for-github commented 5 years ago

CVE-2019-16892 - High Severity Vulnerability

Vulnerable Library - rubyzip-1.2.4.gem

Library home page: https://rubygems.org/gems/rubyzip-1.2.4.gem

Path to dependency file: /tmp/ws-scm/Bacomathiques/Gemfile.lock

Path to vulnerable library: /var/lib/gems/2.3.0/cache/rubyzip-1.2.4.gem

Dependency Hierarchy:

github-pages-health-check-1.16.1.gem (Root Library)
- jekyll-remote-theme-0.3.1.gem
  - ❌ rubyzip-1.2.4.gem (Vulnerable Library)

Found in HEAD commit: 202b08242de93ebe3e7e697da7bba349c87e5aa9

Vulnerability Details

In Rubyzip before 1.3.0, a crafted ZIP file can bypass application checks on ZIP entry sizes because data about the uncompressed size can be spoofed. This allows attackers to cause a denial of service (disk consumption).

Publish Date: 2019-09-25

URL: CVE-2019-16892

CVSS 2 Score Details (7.1)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16892

Release Date: 2019-09-25

Fix Resolution: 1.3.0

Step up your Open Source Security Game with WhiteSource here