Published: 28/11/2022 Updated: 01/02/2023

CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8

VMScore: 0

Sinatra is a domain-specific language for creating web applications in Ruby. An issue exists in Sinatra 2.0 prior to 2.2.3 and 3.0 prior to 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input. Version 2.2.3 and 3.0.4 contain patches for this issue.

Vulnerable Product	Search on Vulmon	Subscribe to Product
sinatrarb sinatra
debian debian linux 10.0

Debian Bug report logs - #1025125 ruby-sinatra: CVE-2022-45442: Reflected File Download attack Package: src:ruby-sinatra; Maintainer for src:ruby-sinatra is Debian Ruby Team <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 29 Nov 2022 21:12:06 UTC ...

Synopsis Moderate: pcs security update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for pcs is now available for Red Hat Enterprise Linux 9Red Hat Product Security has rated this update as having a security i ...

Synopsis Moderate: pcs security update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for pcs is now available for Red Hat Enterprise Linux 81 Update Services for SAP SolutionsRed Hat Product Security has rate ...

Synopsis Moderate: pcs security update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for pcs is now available for Red Hat Enterprise Linux 84 Extended Update SupportRed Hat Product Security has rated this upd ...

Synopsis Moderate: pcs security update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for pcs is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security i ...

Synopsis Moderate: pcs security update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for pcs is now available for Red Hat Enterprise Linux 82 Advanced Update Support, Red Hat Enterprise Linux 82 Telecommunica ...

Synopsis Moderate: pcs security update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for pcs is now available for Red Hat Enterprise Linux 86 Extended Update SupportRed Hat Product Security has rated this upd ...

DescriptionThe MITRE CVE dictionary describes this issue as: Sinatra is a domain-specific language for creating web applications in Ruby An issue was discovered in Sinatra 20 before 223 and 30 before 304 An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the fil ...

CWE-494 https://github.com/advisories/GHSA-8x94-hmjh-97hq https://github.com/sinatra/sinatra/commit/ea8fc9495a350f7551b39e3025bfcd06f49f363b https://github.com/sinatra/sinatra/security/advisories/GHSA-2x8x-jmrp-phxw https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf https://lists.debian.org/debian-lts-announce/2023/01/msg00005.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1025125 https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2022-45442

CVE-2022-45442

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect