Ruby/sinatra/1.4.7

Sinatra is a DSL for quickly creating web applications in Ruby with minimal effort.

https://rubygems.org/gems/sinatra
MIT

6 Security Vulnerabilities

Sinatra vulnerable to Reliance on Untrusted Inputs in a Security Decision

Published date: 2024-11-01T06:30:34Z
CVE: CVE-2024-21510
Links:

Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header. When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbitrary address into this header. If used for caching purposes, such as with servers like Nginx, or as a reverse proxy, without handling the X-Forwarded-Host header, attackers can potentially exploit Cache Poisoning or Routing-based SSRF.

Affected versions: ["2.0.8", "2.0.7", "2.0.5", "2.0.3", "2.0.2", "2.0.1.rc1", "2.0.0", "2.0.0.rc6", "2.0.0.rc5", "2.0.0.rc1", "2.0.0.beta1", "1.4.8", "1.4.7", "1.4.3", "1.4.2", "1.4.1", "1.4.0", "1.4.0.d", "1.3.5", "1.3.3", "1.3.0.f", "1.3.0.d", "1.3.0.c", "1.3.0.b", "1.2.9", "1.2.8", "1.2.6", "1.2.2", "1.2.0", "1.1.4", "1.1.3", "1.1.b", "1.1.a", "1.0.b", "1.0.a", "0.9.6", "0.9.5", "0.9.4", "0.9.2", "0.9.0.2", "0.9.0.1", "0.9.0", "0.3.3", "0.3.2", "0.3.1", "0.1.6", "0.1.0", "2.1.0", "2.0.8.1", "2.0.6", "2.0.4", "2.0.1", "2.0.0.rc2", "2.0.0.beta2", "1.4.6", "1.4.5", "1.4.4", "1.4.0.c", "1.4.0.b", "1.4.0.a", "1.3.6", "1.3.4", "1.3.2", "1.3.1", "1.3.0", "1.3.0.g", "1.3.0.e", "1.3.0.a", "1.2.7", "1.2.3", "1.2.1", "1.2.0.d", "1.2.0.c", "1.2.0.a", "1.1.2", "1.1.0", "1.0", "0.9.1.1", "0.9.1", "0.9.0.5", "0.9.0.4", "0.9.0.3", "0.3.0", "0.2.2", "0.2.1", "0.2.0", "0.1.7", "0.1.5", "2.2.0", "2.2.1", "2.2.2", "3.0.0", "3.0.1", "3.0.2", "3.0.3", "2.2.3", "3.0.4", "3.0.5", "2.2.4", "3.0.6", "3.1.0", "3.2.0", "4.0.0"]
Secure versions: [4.2.0, 4.2.1]
Recommendation: Update to version 4.2.1.

sinatra does not validate expanded path matches

Published date: 2022-05-03T00:00:43Z
CVE: CVE-2022-29970
Links:

Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.

Affected versions: ["2.1.0", "2.0.8.1", "2.0.8", "2.0.7", "2.0.6", "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0.1.rc1", "2.0.0", "2.0.0.rc6", "2.0.0.rc5", "2.0.0.rc2", "2.0.0.rc1", "2.0.0.beta2", "2.0.0.beta1", "1.4.8", "1.4.7", "1.4.6", "1.4.5", "1.4.4", "1.4.3", "1.4.2", "1.4.1", "1.4.0", "1.4.0.d", "1.4.0.c", "1.4.0.a", "1.4.0.b", "1.3.6", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.3.0.f", "1.3.0.d", "1.3.0.c", "1.3.0.b", "1.3.0.g", "1.3.0.e", "1.3.0.a", "1.2.9", "1.2.8", "1.2.7", "1.2.6", "1.2.3", "1.2.2", "1.2.1", "1.2.0", "1.2.0.a", "1.2.0.d", "1.2.0.c", "1.1.4", "1.1.3", "1.1.2", "1.1.0", "1.1.b", "1.1.a", "1.0", "1.0.a", "1.0.b", "0.9.6", "0.9.5", "0.9.4", "0.9.2", "0.9.1.1", "0.9.1", "0.9.0.5", "0.9.0.4", "0.9.0.3", "0.9.0.2", "0.9.0.1", "0.9.0", "0.3.3", "0.3.2", "0.3.1", "0.3.0", "0.2.2", "0.2.1", "0.2.0", "0.1.7", "0.1.6", "0.1.5", "0.1.0"]
Secure versions: [4.2.0, 4.2.1]
Recommendation: Update to version 4.2.1.

sinatra does not validate expanded path matches

Published date: 2022-05-03
CVE: 2022-29970
CVSS V2: 5.0
CVSS V3: 7.5
Links:

Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.

Affected versions: ["2.0.7", "2.0.0.rc6", "2.0.0.rc5", "1.4.3", "1.3.5", "1.3.0.f", "1.3.0.d", "1.3.0.c", "0.9.5", "0.1.6", "0.1.0", "2.0.8", "2.0.5", "1.4.0", "1.3.0.b", "1.2.9", "1.2.2", "1.2.0", "1.1.b", "1.1.a", "1.0.a", "0.9.2", "0.9.0", "2.0.3", "2.0.1.rc1", "2.0.0", "2.0.0.rc1", "2.0.0.beta1", "1.4.1", "1.2.8", "1.2.6", "1.1.4", "1.1.3", "0.9.6", "0.9.4", "0.9.0.2", "0.3.1", "2.0.2", "1.4.8", "1.4.7", "1.4.2", "1.4.0.d", "1.3.3", "1.0.b", "0.9.0.1", "0.3.3", "0.3.2", "1.4.6", "1.3.1", "1.2.1", "1.2.0.a", "1.1.2", "0.3.0", "0.1.7", "2.0.6", "2.0.4", "2.0.1", "2.0.0.beta2", "1.3.2", "1.3.0", "1.2.7", "1.2.3", "1.2.0.d", "1.2.0.c", "1.1.0", "0.9.0.4", "0.9.0.3", "0.2.2", "2.1.0", "2.0.8.1", "1.4.5", "1.4.0.c", "1.4.0.a", "1.3.6", "1.3.4", "1.3.0.g", "1.3.0.e", "1.3.0.a", "0.9.1.1", "0.9.0.5", "0.2.0", "0.1.5", "2.0.0.rc2", "1.4.4", "1.4.0.b", "1.0", "0.9.1", "0.2.1"]
Secure versions: [4.2.0, 4.2.1]
Recommendation: Update to version 4.2.1.

Sinatra vulnerable to Reflected File Download attack

Published date: 2022-11-30
CVE: 2022-45442
CVSS V3: 8.8
Links:

An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input.

Affected versions: ["2.0.7", "2.0.0.rc6", "2.0.0.rc5", "1.4.3", "1.3.5", "1.3.0.f", "1.3.0.d", "1.3.0.c", "0.9.5", "0.1.6", "0.1.0", "2.0.8", "2.0.5", "1.4.0", "1.3.0.b", "1.2.9", "1.2.2", "1.2.0", "1.1.b", "1.1.a", "1.0.a", "0.9.2", "0.9.0", "2.0.3", "2.0.1.rc1", "2.0.0", "2.0.0.rc1", "2.0.0.beta1", "1.4.1", "1.2.8", "1.2.6", "1.1.4", "1.1.3", "0.9.6", "0.9.4", "0.9.0.2", "0.3.1", "2.0.2", "1.4.8", "1.4.7", "1.4.2", "1.4.0.d", "1.3.3", "1.0.b", "0.9.0.1", "0.3.3", "0.3.2", "1.4.6", "1.3.1", "1.2.1", "1.2.0.a", "1.1.2", "0.3.0", "0.1.7", "2.0.6", "2.0.4", "2.0.1", "2.0.0.beta2", "1.3.2", "1.3.0", "1.2.7", "1.2.3", "1.2.0.d", "1.2.0.c", "1.1.0", "0.9.0.4", "0.9.0.3", "0.2.2", "2.1.0", "2.0.8.1", "1.4.5", "1.4.0.c", "1.4.0.a", "1.3.6", "1.3.4", "1.3.0.g", "1.3.0.e", "1.3.0.a", "0.9.1.1", "0.9.0.5", "0.2.0", "0.1.5", "2.0.0.rc2", "1.4.4", "1.4.0.b", "1.0", "0.9.1", "0.2.1", "3.0.0", "3.0.1", "3.0.2", "3.0.3"]
Secure versions: [4.2.0, 4.2.1]
Recommendation: Update to version 4.2.1.

Sinatra vulnerable to Reliance on Untrusted Inputs in a Security Decision

Published date: 2024-11-01
CVE: 2024-21510
CVSS V3: 5.4
Links:

Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header.

When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbitrary address into this header. If used for caching purposes, such as with servers like Nginx, or as a reverse proxy, without handling the X-Forwarded-Host header, attackers can potentially exploit Cache Poisoning or Routing-based SSRF.

Affected versions: ["2.0.7", "2.0.0.rc6", "2.0.0.rc5", "1.4.3", "1.3.5", "1.3.0.f", "1.3.0.d", "1.3.0.c", "0.9.5", "0.1.6", "0.1.0", "2.0.8", "2.0.5", "1.4.0", "1.3.0.b", "1.2.9", "1.2.2", "1.2.0", "1.1.b", "1.1.a", "1.0.a", "0.9.2", "0.9.0", "2.0.3", "2.0.1.rc1", "2.0.0", "2.0.0.rc1", "2.0.0.beta1", "1.4.1", "1.2.8", "1.2.6", "1.1.4", "1.1.3", "0.9.6", "0.9.4", "0.9.0.2", "0.3.1", "2.0.2", "1.4.8", "1.4.7", "1.4.2", "1.4.0.d", "1.3.3", "1.0.b", "0.9.0.1", "0.3.3", "0.3.2", "1.4.6", "1.3.1", "1.2.1", "1.2.0.a", "1.1.2", "0.3.0", "0.1.7", "2.0.6", "2.0.4", "2.0.1", "2.0.0.beta2", "1.3.2", "1.3.0", "1.2.7", "1.2.3", "1.2.0.d", "1.2.0.c", "1.1.0", "0.9.0.4", "0.9.0.3", "0.2.2", "2.1.0", "2.0.8.1", "1.4.5", "1.4.0.c", "1.4.0.a", "1.3.6", "1.3.4", "1.3.0.g", "1.3.0.e", "1.3.0.a", "0.9.1.1", "0.9.0.5", "0.2.0", "0.1.5", "2.0.0.rc2", "1.4.4", "1.4.0.b", "1.0", "0.9.1", "0.2.1", "2.2.0", "2.2.1", "2.2.2", "3.0.0", "3.0.1", "3.0.2", "3.0.3", "2.2.3", "3.0.4", "2.2.4", "3.0.5", "3.0.6", "3.1.0", "3.2.0", "4.0.0", "4.0.1"]
Secure versions: [4.2.0, 4.2.1]
Recommendation: Update to version 4.2.1.

Sinatra is vulnerable to ReDoS through ETag header value generation

Published date: 2025-10-10
CVE: 2025-61921
Links:

Summary

There is a denial of service vulnerability in the If-Match and If-None-Match header parsing component of Sinatra, if the etag method is used when constructing the response and you are using Ruby < 3.2.

Details

Carefully crafted input can cause If-Match and If-None-Match header parsing in Sinatra to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is typically involved in generating the ETag header value. Any applications that use the etag method when generating a response are impacted if they are using Ruby below version 3.2.

Resources

Affected versions: ["2.0.7", "2.0.0.rc6", "2.0.0.rc5", "1.4.3", "1.3.5", "1.3.0.f", "1.3.0.d", "1.3.0.c", "0.9.5", "0.1.6", "0.1.0", "2.0.8", "2.0.5", "1.4.0", "1.3.0.b", "1.2.9", "1.2.2", "1.2.0", "1.1.b", "1.1.a", "1.0.a", "0.9.2", "0.9.0", "2.0.3", "2.0.1.rc1", "2.0.0", "2.0.0.rc1", "2.0.0.beta1", "1.4.1", "1.2.8", "1.2.6", "1.1.4", "1.1.3", "0.9.6", "0.9.4", "0.9.0.2", "0.3.1", "2.0.2", "1.4.8", "1.4.7", "1.4.2", "1.4.0.d", "1.3.3", "1.0.b", "0.9.0.1", "0.3.3", "0.3.2", "1.4.6", "1.3.1", "1.2.1", "1.2.0.a", "1.1.2", "0.3.0", "0.1.7", "2.0.6", "2.0.4", "2.0.1", "2.0.0.beta2", "1.3.2", "1.3.0", "1.2.7", "1.2.3", "1.2.0.d", "1.2.0.c", "1.1.0", "0.9.0.4", "0.9.0.3", "0.2.2", "2.1.0", "2.0.8.1", "1.4.5", "1.4.0.c", "1.4.0.a", "1.3.6", "1.3.4", "1.3.0.g", "1.3.0.e", "1.3.0.a", "0.9.1.1", "0.9.0.5", "0.2.0", "0.1.5", "2.0.0.rc2", "1.4.4", "1.4.0.b", "1.0", "0.9.1", "0.2.1", "2.2.0", "2.2.1", "2.2.2", "3.0.0", "3.0.1", "3.0.2", "3.0.3", "2.2.3", "3.0.4", "2.2.4", "3.0.5", "3.0.6", "3.1.0", "3.2.0", "4.0.0", "4.1.0", "4.1.1", "4.0.1"]
Secure versions: [4.2.0, 4.2.1]
Recommendation: Update to version 4.2.1.

108 Other Versions

Version License Security Released
1.4.0.b UNKNOWN 6 2013-02-26 - 13:58 over 12 years
1.3.6 UNKNOWN 6 2013-03-15 - 11:23 over 12 years
1.3.5 UNKNOWN 6 2013-02-25 - 10:09 over 12 years
1.3.4 UNKNOWN 6 2013-01-26 - 22:18 almost 13 years
1.3.3 UNKNOWN 6 2012-08-19 - 12:54 about 13 years
1.3.2 UNKNOWN 6 2011-12-30 - 12:55 almost 14 years
1.3.1 UNKNOWN 6 2011-10-05 - 01:29 about 14 years
1.3.0 UNKNOWN 6 2011-10-01 - 02:17 about 14 years
1.3.0.f UNKNOWN 6 2011-09-11 - 17:12 about 14 years
1.3.0.d UNKNOWN 6 2011-04-30 - 09:06 over 14 years
1.3.0.c UNKNOWN 6 2011-04-13 - 13:50 over 14 years
1.3.0.b UNKNOWN 6 2011-04-08 - 17:14 over 14 years
1.3.0.g UNKNOWN 6 2011-09-25 - 21:45 about 14 years
1.3.0.e UNKNOWN 6 2011-06-09 - 08:38 over 14 years
1.3.0.a UNKNOWN 6 2011-03-22 - 17:27 over 14 years
1.2.9 UNKNOWN 6 2013-03-15 - 11:01 over 12 years
1.2.8 UNKNOWN 6 2011-12-30 - 12:47 almost 14 years
1.2.7 UNKNOWN 6 2011-10-01 - 02:32 about 14 years
1.2.6 UNKNOWN 6 2011-05-01 - 08:25 over 14 years
1.2.3 UNKNOWN 6 2011-04-13 - 13:42 over 14 years
1.2.2 UNKNOWN 6 2011-04-08 - 17:24 over 14 years
1.2.1 UNKNOWN 6 2011-03-17 - 10:35 over 14 years
1.2.0 UNKNOWN 6 2011-03-03 - 20:50 over 14 years
1.2.0.a UNKNOWN 6 2010-12-25 - 22:38 almost 15 years
1.2.0.d UNKNOWN 6 2011-02-26 - 15:18 over 14 years
1.2.0.c UNKNOWN 6 2011-02-19 - 21:37 over 14 years
1.1.4 UNKNOWN 6 2011-04-13 - 13:36 over 14 years
1.1.3 UNKNOWN 6 2011-02-20 - 09:15 over 14 years
1.1.2 UNKNOWN 6 2010-12-25 - 22:56 almost 15 years
1.1.0 UNKNOWN 6 2010-10-24 - 14:01 about 15 years
1.1.b UNKNOWN 6 2010-10-23 - 08:04 about 15 years
1.1.a UNKNOWN 6 2010-10-19 - 12:51 about 15 years
1.0 MIT 6 2010-03-23 - 21:25 over 15 years
1.0.a UNKNOWN 6 2010-01-28 - 19:53 almost 16 years
1.0.b UNKNOWN 6 2010-03-07 - 15:34 over 15 years
0.9.6 UNKNOWN 6 2010-03-07 - 10:54 over 15 years
0.9.5 UNKNOWN 6 2010-03-04 - 15:16 over 15 years
0.9.4 UNKNOWN 6 2009-08-05 - 13:47 over 16 years
0.9.2 UNKNOWN 6 2009-07-25 - 17:52 over 16 years
0.9.1.1 UNKNOWN 6 2009-07-25 - 17:52 over 16 years
0.9.1 UNKNOWN 6 2009-07-25 - 17:52 over 16 years
0.9.0.5 UNKNOWN 6 2009-07-25 - 17:52 over 16 years
0.9.0.4 UNKNOWN 6 2009-07-25 - 17:52 over 16 years
0.9.0.3 UNKNOWN 6 2009-07-25 - 17:52 over 16 years
0.9.0.2 UNKNOWN 6 2009-07-25 - 17:52 over 16 years
0.9.0.1 UNKNOWN 6 2009-07-25 - 17:52 over 16 years
0.9.0 UNKNOWN 6 2009-07-25 - 17:52 over 16 years
0.3.3 UNKNOWN 6 2009-07-25 - 17:52 over 16 years
0.3.2 UNKNOWN 6 2009-07-25 - 17:52 over 16 years
0.3.1 UNKNOWN 6 2009-07-25 - 17:52 over 16 years