rubyzip 1.1.3

3 security vulnerabilities found in version 1.1.3

Directory Traversal in rubyzip

critical severity CVE-2018-1000544
critical severity CVE-2018-1000544
Patched versions: >= 1.2.2

rubyzip version 1.2.1 and earlier contains a Directory Traversal vulnerability in Zip::File component that can result in write arbitrary files to the filesystem. If a site allows uploading of .zip files, an attacker can upload a malicious file which contains symlinks or files with absolute pathnames "../" to write arbitrary files to the filesystem.

Directory traversal vulnerability in rubyzip

critical severity CVE-2017-5946
critical severity CVE-2017-5946
Patched versions: >= 1.2.1

The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has a directory traversal vulnerability. If a site allows uploading of .zip files, an attacker can upload a malicious file that uses "../" pathname substrings to write arbitrary files to the filesystem.

Denial of Service in rubyzip ("zip bombs")

medium severity CVE-2019-16892
medium severity CVE-2019-16892
Patched versions: >= 1.3.0

In Rubyzip before 1.3.0, a crafted ZIP file can bypass application checks on ZIP entry sizes because data about the uncompressed size can be spoofed. This allows attackers to cause a denial of service (disk consumption).

No officially reported memory leakage issues detected.


This gem version does not have any officially reported memory leaked issues.

Gem version without a license.


Unless a license that specifies otherwise is included, nobody can use, copy, distribute, or modify this library without being at risk of take-downs, shake-downs, or litigation.

This gem version is available.


This gem version has not been yanked and is still available for usage.