---
gem: rubyzip
cve: 2019-16892
url: https://github.com/rubyzip/rubyzip/pull/403
date: 2019-09-12
title: Denial of Service in rubyzip ("zip bombs")
description: |
  In Rubyzip before 1.3.0, a crafted ZIP file can bypass application
  checks on ZIP entry sizes because data about the uncompressed size
  can be spoofed. This allows attackers to cause a denial of service
  (disk consumption).
patched_versions:
  - ">= 1.3.0"