A vulnerability was found in Rubyzip before 1.3.0, a crafted ZIP file can bypass application checks on ZIP entry sizes because data about the uncompressed size can be spoofed. This allows attackers to cause a denial of service (disk consumption). Reference: https://github.com/rubyzip/rubyzip/pull/403
Created rubygem-rubyzip tracking bugs for this issue: Affects: fedora-all [bug 1771299]
Statement: Red Hat CloudForms 4.7 (5.10.13) release is affected, but not vulnerable as they include fixes for Rubyzip version 1.3.0. This issue was fixed in RHBA-2019:4047 (https://access.redhat.com/errata/RHBA-2019:4047) as part of CFME component.
This issue has been addressed in the following products: CloudForms Management Engine 5.11 Via RHSA-2019:4201 https://access.redhat.com/errata/RHSA-2019:4201
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-16892