diff --git a/Gemfile.lock b/Gemfile.lock
index 11921a64900..f253375265a 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -804,7 +804,7 @@ GEM
       sexp_processor (~> 4.1)
     rubyntlm (0.6.2)
     rubypants (0.2.0)
-    rubyzip (1.2.1)
+    rubyzip (1.2.2)
     rufus-scheduler (3.4.0)
       et-orbi (~> 1.0)
     rugged (0.27.4)
diff --git a/Gemfile.rails5.lock b/Gemfile.rails5.lock
index 02f9e112300..17d3c1d415a 100644
--- a/Gemfile.rails5.lock
+++ b/Gemfile.rails5.lock
@@ -813,7 +813,7 @@ GEM
       sexp_processor (~> 4.1)
     rubyntlm (0.6.2)
     rubypants (0.2.0)
-    rubyzip (1.2.1)
+    rubyzip (1.2.2)
     rufus-scheduler (3.4.0)
       et-orbi (~> 1.0)
     rugged (0.27.4)
diff --git a/changelogs/unreleased/50930-update-rubyzip-to-1-2-2.yml b/changelogs/unreleased/50930-update-rubyzip-to-1-2-2.yml
new file mode 100644
index 00000000000..be5cc60df64
--- /dev/null
+++ b/changelogs/unreleased/50930-update-rubyzip-to-1-2-2.yml
@@ -0,0 +1,5 @@
+---
+title: Update rubyzip to 1.2.2 (CVE-2018-1000544)
+merge_request: 21460
+author: Takuya Noguchi
+type: security
diff --git a/qa/Gemfile.lock b/qa/Gemfile.lock
index 1bc424335f8..8f523e55adc 100644
--- a/qa/Gemfile.lock
+++ b/qa/Gemfile.lock
@@ -77,7 +77,7 @@ GEM
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.7.0)
     rspec-support (3.7.0)
-    rubyzip (1.2.1)
+    rubyzip (1.2.2)
     selenium-webdriver (3.8.0)
       childprocess (~> 0.5)
       rubyzip (~> 1.0)
@@ -103,4 +103,4 @@ DEPENDENCIES
   selenium-webdriver (~> 3.8.0)
 
 BUNDLED WITH
-   1.16.1
+   1.16.4