Arbitrary Code Execution Affecting zipruby package, versions >0.0.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
7.07% (95th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RUBY-ZIPRUBY-20433
  • published7 Dec 2017
  • disclosed12 Jul 2012
  • creditMichael Grosser

Introduced: 12 Jul 2012

CVE-2012-1163  (opens in a new tab)
CWE-119  (opens in a new tab)

How to fix?

There is no fix version for zipruby.

Overview

zipruby is Ruby bindings for libzip.

Affected versions of the package are vulnerable to Arbitrary Code Execution. Integer overflow in the _zip_readcdir function in zip_open.c in libzip 0.10 allows remote attackers to execute arbitrary code via the size and offset values for the central directory in a zip archive, which triggers "improper restrictions of operations within the bounds of a memory buffer" and an information leak.

CVSS Scores

version 3.1