Ruby/sinatra/1.4.7
Sinatra is a DSL for quickly creating web applications in Ruby with minimal effort.
https://rubygems.org/gems/sinatra
MIT
5 Security Vulnerabilities
Sinatra vulnerable to Reliance on Untrusted Inputs in a Security Decision
Published date: 2024-11-01T06:30:34Z
CVE: CVE-2024-21510
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2024-21510
- https://github.com/sinatra/sinatra/pull/2010
- https://security.snyk.io/vuln/SNYK-RUBY-SINATRA-6483832
- https://github.com/sinatra/sinatra/blob/b626e2d82c23b4fde0b51782fd32ca27ccde1d1a/lib/sinatra/base.rb#L319
- https://github.com/sinatra/sinatra/blob/b626e2d82c23b4fde0b51782fd32ca27ccde1d1a/lib/sinatra/base.rb#L323C1-L343C17
- https://github.com/advisories/GHSA-hxx2-7vcw-mqr3
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/sinatra/CVE-2024-21510.yml
- https://github.com/sinatra/sinatra/blob/main/CHANGELOG.md#410--2024-11-18
Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header. When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbitrary address into this header. If used for caching purposes, such as with servers like Nginx, or as a reverse proxy, without handling the X-Forwarded-Host header, attackers can potentially exploit Cache Poisoning or Routing-based SSRF.
Affected versions:
["2.0.8", "2.0.7", "2.0.5", "2.0.3", "2.0.2", "2.0.1.rc1", "2.0.0", "2.0.0.rc6", "2.0.0.rc5", "2.0.0.rc1", "2.0.0.beta1", "1.4.8", "1.4.7", "1.4.3", "1.4.2", "1.4.1", "1.4.0", "1.4.0.d", "1.3.5", "1.3.3", "1.3.0.f", "1.3.0.d", "1.3.0.c", "1.3.0.b", "1.2.9", "1.2.8", "1.2.6", "1.2.2", "1.2.0", "1.1.4", "1.1.3", "1.1.b", "1.1.a", "1.0.b", "1.0.a", "0.9.6", "0.9.5", "0.9.4", "0.9.2", "0.9.0.2", "0.9.0.1", "0.9.0", "0.3.3", "0.3.2", "0.3.1", "0.1.6", "0.1.0", "2.1.0", "2.0.8.1", "2.0.6", "2.0.4", "2.0.1", "2.0.0.rc2", "2.0.0.beta2", "1.4.6", "1.4.5", "1.4.4", "1.4.0.c", "1.4.0.b", "1.4.0.a", "1.3.6", "1.3.4", "1.3.2", "1.3.1", "1.3.0", "1.3.0.g", "1.3.0.e", "1.3.0.a", "1.2.7", "1.2.3", "1.2.1", "1.2.0.d", "1.2.0.c", "1.2.0.a", "1.1.2", "1.1.0", "1.0", "0.9.1.1", "0.9.1", "0.9.0.5", "0.9.0.4", "0.9.0.3", "0.3.0", "0.2.2", "0.2.1", "0.2.0", "0.1.7", "0.1.5", "2.2.0", "2.2.1", "2.2.2", "3.0.0", "3.0.1", "3.0.2", "3.0.3", "2.2.3", "3.0.4", "3.0.5", "2.2.4", "3.0.6", "3.1.0", "3.2.0", "4.0.0"]
Secure versions:
[4.0.1, 4.1.0, 4.1.1]
Recommendation:
Update to version 4.1.1.
sinatra does not validate expanded path matches
Published date: 2022-05-03T00:00:43Z
CVE: CVE-2022-29970
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2022-29970
- https://github.com/sinatra/sinatra/pull/1683/commits/462c3ca1db53ed3cfc394cf5948e9c948ad1c10e
- https://github.com/skylightio/skylight-ruby/pull/294
- https://github.com/advisories/GHSA-qp49-3pvw-x4m5
- https://lists.debian.org/debian-lts-announce/2022/10/msg00034.html
- https://github.com/sinatra/sinatra/pull/1683
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/sinatra/CVE-2022-29970.yml
Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.
Affected versions:
["2.0.8", "2.0.7", "2.0.5", "2.0.3", "2.0.2", "2.0.1.rc1", "2.0.0", "2.0.0.rc6", "2.0.0.rc5", "2.0.0.rc1", "2.0.0.beta1", "1.4.8", "1.4.7", "1.4.3", "1.4.2", "1.4.1", "1.4.0", "1.4.0.d", "1.3.5", "1.3.3", "1.3.0.f", "1.3.0.d", "1.3.0.c", "1.3.0.b", "1.2.9", "1.2.8", "1.2.6", "1.2.2", "1.2.0", "1.1.4", "1.1.3", "1.1.b", "1.1.a", "1.0.b", "1.0.a", "0.9.6", "0.9.5", "0.9.4", "0.9.2", "0.9.0.2", "0.9.0.1", "0.9.0", "0.3.3", "0.3.2", "0.3.1", "0.1.6", "0.1.0", "2.1.0", "2.0.8.1", "2.0.6", "2.0.4", "2.0.1", "2.0.0.rc2", "2.0.0.beta2", "1.4.6", "1.4.5", "1.4.4", "1.4.0.c", "1.4.0.b", "1.4.0.a", "1.3.6", "1.3.4", "1.3.2", "1.3.1", "1.3.0", "1.3.0.g", "1.3.0.e", "1.3.0.a", "1.2.7", "1.2.3", "1.2.1", "1.2.0.d", "1.2.0.c", "1.2.0.a", "1.1.2", "1.1.0", "1.0", "0.9.1.1", "0.9.1", "0.9.0.5", "0.9.0.4", "0.9.0.3", "0.3.0", "0.2.2", "0.2.1", "0.2.0", "0.1.7", "0.1.5"]
Secure versions:
[4.0.1, 4.1.0, 4.1.1]
Recommendation:
Update to version 4.1.1.
sinatra does not validate expanded path matches
Published date: 2022-05-03
CVE: 2022-29970
CVSS V2: 5.0
CVSS V3: 7.5
Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.
Affected versions:
["2.0.8", "2.0.7", "2.0.5", "2.0.3", "2.0.2", "2.0.1.rc1", "2.0.0", "2.0.0.rc6", "2.0.0.rc5", "2.0.0.rc1", "2.0.0.beta1", "1.4.8", "1.4.7", "1.4.3", "1.4.2", "1.4.1", "1.4.0", "1.4.0.d", "1.3.5", "1.3.3", "1.3.0.f", "1.3.0.d", "1.3.0.c", "1.3.0.b", "1.2.9", "1.2.8", "1.2.6", "1.2.2", "1.2.0", "1.1.4", "1.1.3", "1.1.b", "1.1.a", "1.0.b", "1.0.a", "0.9.6", "0.9.5", "0.9.4", "0.9.2", "0.9.0.2", "0.9.0.1", "0.9.0", "0.3.3", "0.3.2", "0.3.1", "0.1.6", "0.1.0", "2.1.0", "2.0.8.1", "2.0.6", "2.0.4", "2.0.1", "2.0.0.rc2", "2.0.0.beta2", "1.4.6", "1.4.5", "1.4.4", "1.4.0.c", "1.4.0.b", "1.4.0.a", "1.3.6", "1.3.4", "1.3.2", "1.3.1", "1.3.0", "1.3.0.g", "1.3.0.e", "1.3.0.a", "1.2.7", "1.2.3", "1.2.1", "1.2.0.d", "1.2.0.c", "1.2.0.a", "1.1.2", "1.1.0", "1.0", "0.9.1.1", "0.9.1", "0.9.0.5", "0.9.0.4", "0.9.0.3", "0.3.0", "0.2.2", "0.2.1", "0.2.0", "0.1.7", "0.1.5"]
Secure versions:
[4.0.1, 4.1.0, 4.1.1]
Recommendation:
Update to version 4.1.1.
Sinatra vulnerable to Reflected File Download attack
Published date: 2022-11-30
CVE: 2022-45442
CVSS V3: 8.8
An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input.
Affected versions:
["2.0.8", "2.0.7", "2.0.5", "2.0.3", "2.0.2", "2.0.1.rc1", "2.0.0", "2.0.0.rc6", "2.0.0.rc5", "2.0.0.rc1", "2.0.0.beta1", "1.4.8", "1.4.7", "1.4.3", "1.4.2", "1.4.1", "1.4.0", "1.4.0.d", "1.3.5", "1.3.3", "1.3.0.f", "1.3.0.d", "1.3.0.c", "1.3.0.b", "1.2.9", "1.2.8", "1.2.6", "1.2.2", "1.2.0", "1.1.4", "1.1.3", "1.1.b", "1.1.a", "1.0.b", "1.0.a", "0.9.6", "0.9.5", "0.9.4", "0.9.2", "0.9.0.2", "0.9.0.1", "0.9.0", "0.3.3", "0.3.2", "0.3.1", "0.1.6", "0.1.0", "2.1.0", "2.0.8.1", "2.0.6", "2.0.4", "2.0.1", "2.0.0.rc2", "2.0.0.beta2", "1.4.6", "1.4.5", "1.4.4", "1.4.0.c", "1.4.0.b", "1.4.0.a", "1.3.6", "1.3.4", "1.3.2", "1.3.1", "1.3.0", "1.3.0.g", "1.3.0.e", "1.3.0.a", "1.2.7", "1.2.3", "1.2.1", "1.2.0.d", "1.2.0.c", "1.2.0.a", "1.1.2", "1.1.0", "1.0", "0.9.1.1", "0.9.1", "0.9.0.5", "0.9.0.4", "0.9.0.3", "0.3.0", "0.2.2", "0.2.1", "0.2.0", "0.1.7", "0.1.5", "3.0.0", "3.0.1", "3.0.2", "3.0.3"]
Secure versions:
[4.0.1, 4.1.0, 4.1.1]
Recommendation:
Update to version 4.1.1.
Sinatra vulnerable to Reliance on Untrusted Inputs in a Security Decision
Published date: 2024-11-01
CVE: 2024-21510
CVSS V3: 5.4
Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header.
When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbitrary address into this header. If used for caching purposes, such as with servers like Nginx, or as a reverse proxy, without handling the X-Forwarded-Host header, attackers can potentially exploit Cache Poisoning or Routing-based SSRF.
Affected versions:
["2.0.8", "2.0.7", "2.0.5", "2.0.3", "2.0.2", "2.0.1.rc1", "2.0.0", "2.0.0.rc6", "2.0.0.rc5", "2.0.0.rc1", "2.0.0.beta1", "1.4.8", "1.4.7", "1.4.3", "1.4.2", "1.4.1", "1.4.0", "1.4.0.d", "1.3.5", "1.3.3", "1.3.0.f", "1.3.0.d", "1.3.0.c", "1.3.0.b", "1.2.9", "1.2.8", "1.2.6", "1.2.2", "1.2.0", "1.1.4", "1.1.3", "1.1.b", "1.1.a", "1.0.b", "1.0.a", "0.9.6", "0.9.5", "0.9.4", "0.9.2", "0.9.0.2", "0.9.0.1", "0.9.0", "0.3.3", "0.3.2", "0.3.1", "0.1.6", "0.1.0", "2.1.0", "2.0.8.1", "2.0.6", "2.0.4", "2.0.1", "2.0.0.rc2", "2.0.0.beta2", "1.4.6", "1.4.5", "1.4.4", "1.4.0.c", "1.4.0.b", "1.4.0.a", "1.3.6", "1.3.4", "1.3.2", "1.3.1", "1.3.0", "1.3.0.g", "1.3.0.e", "1.3.0.a", "1.2.7", "1.2.3", "1.2.1", "1.2.0.d", "1.2.0.c", "1.2.0.a", "1.1.2", "1.1.0", "1.0", "0.9.1.1", "0.9.1", "0.9.0.5", "0.9.0.4", "0.9.0.3", "0.3.0", "0.2.2", "0.2.1", "0.2.0", "0.1.7", "0.1.5", "2.2.0", "2.2.1", "2.2.2", "3.0.0", "3.0.1", "3.0.2", "3.0.3", "2.2.3", "3.0.4", "3.0.5", "2.2.4", "3.0.6", "3.1.0", "3.2.0", "4.0.0"]
Secure versions:
[4.0.1, 4.1.0, 4.1.1]
Recommendation:
Update to version 4.1.1.
106 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 1.3.5 | UNKNOWN | 5 | 2013-02-25 - 10:09 | over 12 years |
| 1.3.4 | UNKNOWN | 5 | 2013-01-26 - 22:18 | over 12 years |
| 1.3.3 | UNKNOWN | 5 | 2012-08-19 - 12:54 | almost 13 years |
| 1.3.2 | UNKNOWN | 5 | 2011-12-30 - 12:55 | over 13 years |
| 1.3.1 | UNKNOWN | 5 | 2011-10-05 - 01:29 | over 13 years |
| 1.3.0 | UNKNOWN | 5 | 2011-10-01 - 02:17 | almost 14 years |
| 1.3.0.c | UNKNOWN | 5 | 2011-04-13 - 13:50 | about 14 years |
| 1.3.0.g | UNKNOWN | 5 | 2011-09-25 - 21:45 | almost 14 years |
| 1.3.0.e | UNKNOWN | 5 | 2011-06-09 - 08:38 | about 14 years |
| 1.3.0.a | UNKNOWN | 5 | 2011-03-22 - 17:27 | over 14 years |
| 1.3.0.f | UNKNOWN | 5 | 2011-09-11 - 17:12 | almost 14 years |
| 1.3.0.b | UNKNOWN | 5 | 2011-04-08 - 17:14 | about 14 years |
| 1.3.0.d | UNKNOWN | 5 | 2011-04-30 - 09:06 | about 14 years |
| 1.2.9 | UNKNOWN | 5 | 2013-03-15 - 11:01 | over 12 years |
| 1.2.8 | UNKNOWN | 5 | 2011-12-30 - 12:47 | over 13 years |
| 1.2.7 | UNKNOWN | 5 | 2011-10-01 - 02:32 | almost 14 years |
| 1.2.6 | UNKNOWN | 5 | 2011-05-01 - 08:25 | about 14 years |
| 1.2.3 | UNKNOWN | 5 | 2011-04-13 - 13:42 | about 14 years |
| 1.2.2 | UNKNOWN | 5 | 2011-04-08 - 17:24 | about 14 years |
| 1.2.1 | UNKNOWN | 5 | 2011-03-17 - 10:35 | over 14 years |
| 1.2.0 | UNKNOWN | 5 | 2011-03-03 - 20:50 | over 14 years |
| 1.2.0.c | UNKNOWN | 5 | 2011-02-19 - 21:37 | over 14 years |
| 1.2.0.a | UNKNOWN | 5 | 2010-12-25 - 22:38 | over 14 years |
| 1.2.0.d | UNKNOWN | 5 | 2011-02-26 - 15:18 | over 14 years |
| 1.1.4 | UNKNOWN | 5 | 2011-04-13 - 13:36 | about 14 years |
| 1.1.3 | UNKNOWN | 5 | 2011-02-20 - 09:15 | over 14 years |
| 1.1.2 | UNKNOWN | 5 | 2010-12-25 - 22:56 | over 14 years |
| 1.1.0 | UNKNOWN | 5 | 2010-10-24 - 14:01 | over 14 years |
| 1.1.b | UNKNOWN | 5 | 2010-10-23 - 08:04 | over 14 years |
| 1.1.a | UNKNOWN | 5 | 2010-10-19 - 12:51 | over 14 years |
| 1.0 | MIT | 5 | 2010-03-23 - 21:25 | over 15 years |
| 1.0.a | UNKNOWN | 5 | 2010-01-28 - 19:53 | over 15 years |
| 1.0.b | UNKNOWN | 5 | 2010-03-07 - 15:34 | over 15 years |
| 0.9.6 | UNKNOWN | 5 | 2010-03-07 - 10:54 | over 15 years |
| 0.9.5 | UNKNOWN | 5 | 2010-03-04 - 15:16 | over 15 years |
| 0.9.4 | UNKNOWN | 5 | 2009-08-05 - 13:47 | almost 16 years |
| 0.9.2 | UNKNOWN | 5 | 2009-07-25 - 17:52 | almost 16 years |
| 0.9.1.1 | UNKNOWN | 5 | 2009-07-25 - 17:52 | almost 16 years |
| 0.9.1 | UNKNOWN | 5 | 2009-07-25 - 17:52 | almost 16 years |
| 0.9.0.5 | UNKNOWN | 5 | 2009-07-25 - 17:52 | almost 16 years |
| 0.9.0.4 | UNKNOWN | 5 | 2009-07-25 - 17:52 | almost 16 years |
| 0.9.0.3 | UNKNOWN | 5 | 2009-07-25 - 17:52 | almost 16 years |
| 0.9.0.2 | UNKNOWN | 5 | 2009-07-25 - 17:52 | almost 16 years |
| 0.9.0.1 | UNKNOWN | 5 | 2009-07-25 - 17:52 | almost 16 years |
| 0.9.0 | UNKNOWN | 5 | 2009-07-25 - 17:52 | almost 16 years |
| 0.3.3 | UNKNOWN | 5 | 2009-07-25 - 17:52 | almost 16 years |
| 0.3.2 | UNKNOWN | 5 | 2009-07-25 - 17:52 | almost 16 years |
| 0.3.1 | UNKNOWN | 5 | 2009-07-25 - 17:52 | almost 16 years |
| 0.3.0 | UNKNOWN | 5 | 2009-07-25 - 17:52 | almost 16 years |
| 0.2.2 | UNKNOWN | 5 | 2009-07-25 - 17:52 | almost 16 years |