Ruby/sinatra/2.0.0
Sinatra is a DSL for quickly creating web applications in Ruby with minimal effort.
https://rubygems.org/gems/sinatra
MIT
8 Security Vulnerabilities
Sinatra vulnerable to Reflected File Download attack
- https://github.com/sinatra/sinatra/security/advisories/GHSA-2x8x-jmrp-phxw
- https://nvd.nist.gov/vuln/detail/CVE-2022-45442
- https://github.com/sinatra/sinatra/commit/ea8fc9495a350f7551b39e3025bfcd06f49f363b
- https://github.com/advisories/GHSA-8x94-hmjh-97hq
- https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf
- https://github.com/advisories/GHSA-2x8x-jmrp-phxw
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/sinatra/CVE-2022-45442.yml
- https://lists.debian.org/debian-lts-announce/2023/01/msg00005.html
Description
An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input.
References
- https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf
- https://github.com/advisories/GHSA-8x94-hmjh-97hq
Sinatra Path Traversal vulnerability
An issue was discovered in rack-protection/lib/rack/protection/path_traversal.rb in Sinatra 2.x before 2.0.1 on Windows. Path traversal is possible via backslash characters.
Sinatra Cross-site Scripting vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2018-11627
- https://github.com/advisories/GHSA-mq35-wqvf-r23c
- https://github.com/sinatra/sinatra/issues/1428
- https://github.com/sinatra/sinatra/commit/12786867d6faaceaec62c7c2cb5b0e2dc074d71a
- https://access.redhat.com/errata/RHSA-2019:0212
- https://access.redhat.com/errata/RHSA-2019:0315
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/sinatra/CVE-2018-11627.yml
Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a params parser exception.
sinatra does not validate expanded path matches
- https://nvd.nist.gov/vuln/detail/CVE-2022-29970
- https://github.com/sinatra/sinatra/pull/1683/commits/462c3ca1db53ed3cfc394cf5948e9c948ad1c10e
- https://github.com/skylightio/skylight-ruby/pull/294
- https://github.com/advisories/GHSA-qp49-3pvw-x4m5
- https://lists.debian.org/debian-lts-announce/2022/10/msg00034.html
- https://github.com/sinatra/sinatra/pull/1683
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/sinatra/CVE-2022-29970.yml
Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.
XSS via the 400 Bad Request page
Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a params parser exception.
sinatra ruby gem path traversal via backslash characters on Windows
An issue was discovered in rack-protection/lib/rack/protection/path_traversal.rb in Sinatra 2.x before 2.0.1 on Windows. Path traversal is possible via backslash characters.
sinatra does not validate expanded path matches
Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.
Sinatra vulnerable to Reflected File Download attack
An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input.
103 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 0.1.6 | UNKNOWN | 3 | 2009-07-25 - 17:52 | almost 15 years |
| 0.1.5 | UNKNOWN | 3 | 2009-07-25 - 17:52 | almost 15 years |
| 0.1.0 | UNKNOWN | 3 | 2009-07-25 - 17:52 | almost 15 years |