{
  "threat_severity" : "Moderate",
  "public_date" : "2019-09-25T00:00:00Z",
  "bugzilla" : {
    "description" : "cfme: rubygem-rubyzip denial of service via crafted ZIP file",
    "id" : "1771298",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1771298"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-400",
  "details" : [ "In Rubyzip before 1.3.0, a crafted ZIP file can bypass application checks on ZIP entry sizes because data about the uncompressed size can be spoofed. This allows attackers to cause a denial of service (disk consumption).", "A vulnerability in Rubyzip, versions prior to 1.3.0, allows a crafted ZIP file to bypass application checks on ZIP entry sizes. This allows an attacker to spoof data regarding the uncompressed size of the ZIP file, causing a denial of service due to disk consumption. Availability of the system is the highest threat." ],
  "statement" : "Red Hat CloudForms 4.7 (5.10.13) release is affected, but not vulnerable as they include fixes for Rubyzip version 1.3.0. This issue was fixed in RHBA-2019:4047 (https://access.redhat.com/errata/RHBA-2019:4047) as part of CFME component.",
  "affected_release" : [ {
    "product_name" : "CloudForms Management Engine 5.10",
    "release_date" : "2019-12-03T00:00:00Z",
    "advisory" : "RHBA-2019:4047",
    "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5.10::el7",
    "package" : "cfme-0:5.10.13.1-1.el7cf"
  }, {
    "product_name" : "CloudForms Management Engine 5.10",
    "release_date" : "2019-12-03T00:00:00Z",
    "advisory" : "RHBA-2019:4047",
    "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5.10::el7",
    "package" : "cfme-amazon-smartstate-0:5.10.13.1-1.el7cf"
  }, {
    "product_name" : "CloudForms Management Engine 5.10",
    "release_date" : "2019-12-03T00:00:00Z",
    "advisory" : "RHBA-2019:4047",
    "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5.10::el7",
    "package" : "cfme-appliance-0:5.10.13.1-1.el7cf"
  }, {
    "product_name" : "CloudForms Management Engine 5.10",
    "release_date" : "2019-12-03T00:00:00Z",
    "advisory" : "RHBA-2019:4047",
    "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5.10::el7",
    "package" : "cfme-gemset-0:5.10.13.1-1.el7cf"
  }, {
    "product_name" : "CloudForms Management Engine 5.10",
    "release_date" : "2019-12-03T00:00:00Z",
    "advisory" : "RHBA-2019:4047",
    "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5.10::el7",
    "package" : "ruby-0:2.4.9-93.el7cf"
  }, {
    "product_name" : "CloudForms Management Engine 5.11",
    "release_date" : "2019-12-13T00:00:00Z",
    "advisory" : "RHSA-2019:4201",
    "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5.11::el8",
    "package" : "cfme-0:5.11.1.2-1.el8cf"
  }, {
    "product_name" : "CloudForms Management Engine 5.11",
    "release_date" : "2019-12-13T00:00:00Z",
    "advisory" : "RHSA-2019:4201",
    "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5.11::el8",
    "package" : "cfme-amazon-smartstate-0:5.11.1.2-1.el8cf"
  }, {
    "product_name" : "CloudForms Management Engine 5.11",
    "release_date" : "2019-12-13T00:00:00Z",
    "advisory" : "RHSA-2019:4201",
    "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5.11::el8",
    "package" : "cfme-appliance-0:5.11.1.2-1.el8cf"
  }, {
    "product_name" : "CloudForms Management Engine 5.11",
    "release_date" : "2019-12-13T00:00:00Z",
    "advisory" : "RHSA-2019:4201",
    "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5.11::el8",
    "package" : "cfme-gemset-0:5.11.1.2-1.el8cf"
  }, {
    "product_name" : "CloudForms Management Engine 5.11",
    "release_date" : "2019-12-13T00:00:00Z",
    "advisory" : "RHSA-2019:4201",
    "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5.11::el8",
    "package" : "ovirt-ansible-hosted-engine-setup-0:1.0.28-1.el8ev"
  }, {
    "product_name" : "CloudForms Management Engine 5.11",
    "release_date" : "2019-12-13T00:00:00Z",
    "advisory" : "RHSA-2019:4201",
    "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5.11::el8",
    "package" : "v2v-conversion-host-0:1.15.0-1.el8ev"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-16892\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-16892" ],
  "name" : "CVE-2019-16892",
  "csaw" : false
}