CVE-2019-16892 - OpenCVE

In Rubyzip before 1.3.0, a crafted ZIP file can bypass application checks on ZIP entry sizes because data about the uncompressed size can be spoofed. This allows attackers to cause a denial of service (disk consumption).

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Complete

AV:N/AC:M/Au:N/C:N/I:N/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Fedoraproject	Fedora
Redhat	Cloudforms Cloudforms Managementengine
Rubyzip Project	Rubyzip

Configuration 1 [-]

cpe:2.3:a:rubyzip_project:rubyzip:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:fedoraproject:fedora:29:::::::*
	cpe:2.3:o:fedoraproject:fedora:30:::::::*
	cpe:2.3:o:fedoraproject:fedora:31:::::::*

Configuration 3 [-]

OR	cpe:2.3:a:redhat:cloudforms:4.7:::::::*
	cpe:2.3:a:redhat:cloudforms:5.11:::::::*

Package	CPE	Advisory	Released Date
CloudForms Management Engine 5.10
cfme-0:5.10.13.1-1.el7cf	cpe:/a:redhat:cloudforms_managementengine:5.10::el7	RHBA-2019:4047	2019-12-03T00:00:00Z
cfme-amazon-smartstate-0:5.10.13.1-1.el7cf	cpe:/a:redhat:cloudforms_managementengine:5.10::el7	RHBA-2019:4047	2019-12-03T00:00:00Z
cfme-appliance-0:5.10.13.1-1.el7cf	cpe:/a:redhat:cloudforms_managementengine:5.10::el7	RHBA-2019:4047	2019-12-03T00:00:00Z
cfme-gemset-0:5.10.13.1-1.el7cf	cpe:/a:redhat:cloudforms_managementengine:5.10::el7	RHBA-2019:4047	2019-12-03T00:00:00Z
ruby-0:2.4.9-93.el7cf	cpe:/a:redhat:cloudforms_managementengine:5.10::el7	RHBA-2019:4047	2019-12-03T00:00:00Z
CloudForms Management Engine 5.11
cfme-0:5.11.1.2-1.el8cf	cpe:/a:redhat:cloudforms_managementengine:5.11::el8	RHSA-2019:4201	2019-12-13T00:00:00Z
cfme-amazon-smartstate-0:5.11.1.2-1.el8cf	cpe:/a:redhat:cloudforms_managementengine:5.11::el8	RHSA-2019:4201	2019-12-13T00:00:00Z
cfme-appliance-0:5.11.1.2-1.el8cf	cpe:/a:redhat:cloudforms_managementengine:5.11::el8	RHSA-2019:4201	2019-12-13T00:00:00Z
cfme-gemset-0:5.11.1.2-1.el8cf	cpe:/a:redhat:cloudforms_managementengine:5.11::el8	RHSA-2019:4201	2019-12-13T00:00:00Z
ovirt-ansible-hosted-engine-setup-0:1.0.28-1.el8ev	cpe:/a:redhat:cloudforms_managementengine:5.11::el8	RHSA-2019:4201	2019-12-13T00:00:00Z
v2v-conversion-host-0:1.15.0-1.el8ev	cpe:/a:redhat:cloudforms_managementengine:5.11::el8	RHSA-2019:4201	2019-12-13T00:00:00Z

References

Link	Providers
https://access.redhat.com/errata/RHBA-2019:4047
https://access.redhat.com/errata/RHSA-2019:4201
https://github.com/rubyzip/rubyzip/commit/d65fe7bd283ec94f9d6dc7605f61a6b0dd00f55e
https://github.com/rubyzip/rubyzip/pull/403
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J45KSFPP6DFVWLC7Z73L7SX735CKZYO6/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MWWPORMSBHZTMP4PGF4DQD22TTKBQMMC/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X255K6ZBAQC462PQN2ND5HOTTQEJ2G2X/
https://nvd.nist.gov/vuln/detail/CVE-2019-16892
https://www.cve.org/CVERecord?id=CVE-2019-16892

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-09-25T00:00:00

Updated: 2024-08-05T01:24:47.239Z

Reserved: 2019-09-25T00:00:00

Link: CVE-2019-16892

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-09-25T22:15:10.023

Modified: 2023-12-28T17:04:56.327

Link: CVE-2019-16892

Redhat

Severity : Moderate

Publid Date: 2019-09-25T00:00:00Z

Links: CVE-2019-16892 - Bugzilla

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Complete

Affected Vendors & Products

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Complete

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object