Ruby/sinatra/2.0.1.rc1

Sinatra is a DSL for quickly creating web applications in Ruby with minimal effort.

https://rubygems.org/gems/sinatra
MIT

10 Security Vulnerabilities

Sinatra vulnerable to Reflected File Download attack

Published date: 2022-11-30T21:18:34Z
CVE: CVE-2022-45442
Links:

Description

An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input.

References

Affected versions: ["2.0.8", "2.0.7", "2.0.5", "2.0.3", "2.0.2", "2.0.1.rc1", "2.0.0", "2.1.0", "2.0.8.1", "2.0.6", "2.0.4", "2.0.1", "2.2.0", "2.2.1", "2.2.2", "3.0.0", "3.0.1", "3.0.2", "3.0.3"]
Secure versions: [4.0.1, 4.1.0, 4.1.1]
Recommendation: Update to version 4.1.1.

Sinatra Path Traversal vulnerability

Published date: 2018-02-20T19:23:20Z
CVE: CVE-2018-7212
Links:

An issue was discovered in rack-protection/lib/rack/protection/path_traversal.rb in Sinatra 2.x before 2.0.1 on Windows. Path traversal is possible via backslash characters.

Affected versions: ["2.0.1.rc1", "2.0.0", "2.0.0.rc6", "2.0.0.rc5", "2.0.0.rc1", "2.0.0.beta1", "2.0.0.rc2", "2.0.0.beta2"]
Secure versions: [4.0.1, 4.1.0, 4.1.1]
Recommendation: Update to version 4.1.1.

Sinatra vulnerable to Reliance on Untrusted Inputs in a Security Decision

Published date: 2024-11-01T06:30:34Z
CVE: CVE-2024-21510
Links:

Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header. When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbitrary address into this header. If used for caching purposes, such as with servers like Nginx, or as a reverse proxy, without handling the X-Forwarded-Host header, attackers can potentially exploit Cache Poisoning or Routing-based SSRF.

Affected versions: ["2.0.8", "2.0.7", "2.0.5", "2.0.3", "2.0.2", "2.0.1.rc1", "2.0.0", "2.0.0.rc6", "2.0.0.rc5", "2.0.0.rc1", "2.0.0.beta1", "1.4.8", "1.4.7", "1.4.3", "1.4.2", "1.4.1", "1.4.0", "1.4.0.d", "1.3.5", "1.3.3", "1.3.0.f", "1.3.0.d", "1.3.0.c", "1.3.0.b", "1.2.9", "1.2.8", "1.2.6", "1.2.2", "1.2.0", "1.1.4", "1.1.3", "1.1.b", "1.1.a", "1.0.b", "1.0.a", "0.9.6", "0.9.5", "0.9.4", "0.9.2", "0.9.0.2", "0.9.0.1", "0.9.0", "0.3.3", "0.3.2", "0.3.1", "0.1.6", "0.1.0", "2.1.0", "2.0.8.1", "2.0.6", "2.0.4", "2.0.1", "2.0.0.rc2", "2.0.0.beta2", "1.4.6", "1.4.5", "1.4.4", "1.4.0.c", "1.4.0.b", "1.4.0.a", "1.3.6", "1.3.4", "1.3.2", "1.3.1", "1.3.0", "1.3.0.g", "1.3.0.e", "1.3.0.a", "1.2.7", "1.2.3", "1.2.1", "1.2.0.d", "1.2.0.c", "1.2.0.a", "1.1.2", "1.1.0", "1.0", "0.9.1.1", "0.9.1", "0.9.0.5", "0.9.0.4", "0.9.0.3", "0.3.0", "0.2.2", "0.2.1", "0.2.0", "0.1.7", "0.1.5", "2.2.0", "2.2.1", "2.2.2", "3.0.0", "3.0.1", "3.0.2", "3.0.3", "2.2.3", "3.0.4", "3.0.5", "2.2.4", "3.0.6", "3.1.0", "3.2.0", "4.0.0"]
Secure versions: [4.0.1, 4.1.0, 4.1.1]
Recommendation: Update to version 4.1.1.

Sinatra Cross-site Scripting vulnerability

Published date: 2018-06-05T21:32:06Z
CVE: CVE-2018-11627
Links:

Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a params parser exception.

Affected versions: ["2.0.1.rc1", "2.0.0", "2.0.1"]
Secure versions: [4.0.1, 4.1.0, 4.1.1]
Recommendation: Update to version 4.1.1.

sinatra does not validate expanded path matches

Published date: 2022-05-03T00:00:43Z
CVE: CVE-2022-29970
Links:

Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.

Affected versions: ["2.0.8", "2.0.7", "2.0.5", "2.0.3", "2.0.2", "2.0.1.rc1", "2.0.0", "2.0.0.rc6", "2.0.0.rc5", "2.0.0.rc1", "2.0.0.beta1", "1.4.8", "1.4.7", "1.4.3", "1.4.2", "1.4.1", "1.4.0", "1.4.0.d", "1.3.5", "1.3.3", "1.3.0.f", "1.3.0.d", "1.3.0.c", "1.3.0.b", "1.2.9", "1.2.8", "1.2.6", "1.2.2", "1.2.0", "1.1.4", "1.1.3", "1.1.b", "1.1.a", "1.0.b", "1.0.a", "0.9.6", "0.9.5", "0.9.4", "0.9.2", "0.9.0.2", "0.9.0.1", "0.9.0", "0.3.3", "0.3.2", "0.3.1", "0.1.6", "0.1.0", "2.1.0", "2.0.8.1", "2.0.6", "2.0.4", "2.0.1", "2.0.0.rc2", "2.0.0.beta2", "1.4.6", "1.4.5", "1.4.4", "1.4.0.c", "1.4.0.b", "1.4.0.a", "1.3.6", "1.3.4", "1.3.2", "1.3.1", "1.3.0", "1.3.0.g", "1.3.0.e", "1.3.0.a", "1.2.7", "1.2.3", "1.2.1", "1.2.0.d", "1.2.0.c", "1.2.0.a", "1.1.2", "1.1.0", "1.0", "0.9.1.1", "0.9.1", "0.9.0.5", "0.9.0.4", "0.9.0.3", "0.3.0", "0.2.2", "0.2.1", "0.2.0", "0.1.7", "0.1.5"]
Secure versions: [4.0.1, 4.1.0, 4.1.1]
Recommendation: Update to version 4.1.1.

XSS via the 400 Bad Request page

Published date: 2018-05-31
CVE: 2018-11627
CVSS V3: 6.1
Links:

Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a params parser exception.

Affected versions: ["2.0.1.rc1", "2.0.0", "2.0.0.rc6", "2.0.0.rc5", "2.0.0.rc1", "2.0.0.beta1", "2.0.1", "2.0.0.rc2", "2.0.0.beta2"]
Secure versions: [4.0.1, 4.1.0, 4.1.1]
Recommendation: Update to version 4.1.1.

sinatra ruby gem path traversal via backslash characters on Windows

Published date: 2018-01-09
CVE: 2018-7212
CVSS V2: 5.0
CVSS V3: 5.3
Links:

An issue was discovered in rack-protection/lib/rack/protection/path_traversal.rb in Sinatra 2.x before 2.0.1 on Windows. Path traversal is possible via backslash characters.

Affected versions: ["2.0.1.rc1", "2.0.0"]
Secure versions: [4.0.1, 4.1.0, 4.1.1]
Recommendation: Update to version 4.1.1.

sinatra does not validate expanded path matches

Published date: 2022-05-03
CVE: 2022-29970
CVSS V2: 5.0
CVSS V3: 7.5
Links:

Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.

Affected versions: ["2.0.8", "2.0.7", "2.0.5", "2.0.3", "2.0.2", "2.0.1.rc1", "2.0.0", "2.0.0.rc6", "2.0.0.rc5", "2.0.0.rc1", "2.0.0.beta1", "1.4.8", "1.4.7", "1.4.3", "1.4.2", "1.4.1", "1.4.0", "1.4.0.d", "1.3.5", "1.3.3", "1.3.0.f", "1.3.0.d", "1.3.0.c", "1.3.0.b", "1.2.9", "1.2.8", "1.2.6", "1.2.2", "1.2.0", "1.1.4", "1.1.3", "1.1.b", "1.1.a", "1.0.b", "1.0.a", "0.9.6", "0.9.5", "0.9.4", "0.9.2", "0.9.0.2", "0.9.0.1", "0.9.0", "0.3.3", "0.3.2", "0.3.1", "0.1.6", "0.1.0", "2.1.0", "2.0.8.1", "2.0.6", "2.0.4", "2.0.1", "2.0.0.rc2", "2.0.0.beta2", "1.4.6", "1.4.5", "1.4.4", "1.4.0.c", "1.4.0.b", "1.4.0.a", "1.3.6", "1.3.4", "1.3.2", "1.3.1", "1.3.0", "1.3.0.g", "1.3.0.e", "1.3.0.a", "1.2.7", "1.2.3", "1.2.1", "1.2.0.d", "1.2.0.c", "1.2.0.a", "1.1.2", "1.1.0", "1.0", "0.9.1.1", "0.9.1", "0.9.0.5", "0.9.0.4", "0.9.0.3", "0.3.0", "0.2.2", "0.2.1", "0.2.0", "0.1.7", "0.1.5"]
Secure versions: [4.0.1, 4.1.0, 4.1.1]
Recommendation: Update to version 4.1.1.

Sinatra vulnerable to Reflected File Download attack

Published date: 2022-11-30
CVE: 2022-45442
CVSS V3: 8.8
Links:

An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input.

Affected versions: ["2.0.8", "2.0.7", "2.0.5", "2.0.3", "2.0.2", "2.0.1.rc1", "2.0.0", "2.0.0.rc6", "2.0.0.rc5", "2.0.0.rc1", "2.0.0.beta1", "1.4.8", "1.4.7", "1.4.3", "1.4.2", "1.4.1", "1.4.0", "1.4.0.d", "1.3.5", "1.3.3", "1.3.0.f", "1.3.0.d", "1.3.0.c", "1.3.0.b", "1.2.9", "1.2.8", "1.2.6", "1.2.2", "1.2.0", "1.1.4", "1.1.3", "1.1.b", "1.1.a", "1.0.b", "1.0.a", "0.9.6", "0.9.5", "0.9.4", "0.9.2", "0.9.0.2", "0.9.0.1", "0.9.0", "0.3.3", "0.3.2", "0.3.1", "0.1.6", "0.1.0", "2.1.0", "2.0.8.1", "2.0.6", "2.0.4", "2.0.1", "2.0.0.rc2", "2.0.0.beta2", "1.4.6", "1.4.5", "1.4.4", "1.4.0.c", "1.4.0.b", "1.4.0.a", "1.3.6", "1.3.4", "1.3.2", "1.3.1", "1.3.0", "1.3.0.g", "1.3.0.e", "1.3.0.a", "1.2.7", "1.2.3", "1.2.1", "1.2.0.d", "1.2.0.c", "1.2.0.a", "1.1.2", "1.1.0", "1.0", "0.9.1.1", "0.9.1", "0.9.0.5", "0.9.0.4", "0.9.0.3", "0.3.0", "0.2.2", "0.2.1", "0.2.0", "0.1.7", "0.1.5", "3.0.0", "3.0.1", "3.0.2", "3.0.3"]
Secure versions: [4.0.1, 4.1.0, 4.1.1]
Recommendation: Update to version 4.1.1.

Sinatra vulnerable to Reliance on Untrusted Inputs in a Security Decision

Published date: 2024-11-01
CVE: 2024-21510
CVSS V3: 5.4
Links:

Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header.

When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbitrary address into this header. If used for caching purposes, such as with servers like Nginx, or as a reverse proxy, without handling the X-Forwarded-Host header, attackers can potentially exploit Cache Poisoning or Routing-based SSRF.

Affected versions: ["2.0.8", "2.0.7", "2.0.5", "2.0.3", "2.0.2", "2.0.1.rc1", "2.0.0", "2.0.0.rc6", "2.0.0.rc5", "2.0.0.rc1", "2.0.0.beta1", "1.4.8", "1.4.7", "1.4.3", "1.4.2", "1.4.1", "1.4.0", "1.4.0.d", "1.3.5", "1.3.3", "1.3.0.f", "1.3.0.d", "1.3.0.c", "1.3.0.b", "1.2.9", "1.2.8", "1.2.6", "1.2.2", "1.2.0", "1.1.4", "1.1.3", "1.1.b", "1.1.a", "1.0.b", "1.0.a", "0.9.6", "0.9.5", "0.9.4", "0.9.2", "0.9.0.2", "0.9.0.1", "0.9.0", "0.3.3", "0.3.2", "0.3.1", "0.1.6", "0.1.0", "2.1.0", "2.0.8.1", "2.0.6", "2.0.4", "2.0.1", "2.0.0.rc2", "2.0.0.beta2", "1.4.6", "1.4.5", "1.4.4", "1.4.0.c", "1.4.0.b", "1.4.0.a", "1.3.6", "1.3.4", "1.3.2", "1.3.1", "1.3.0", "1.3.0.g", "1.3.0.e", "1.3.0.a", "1.2.7", "1.2.3", "1.2.1", "1.2.0.d", "1.2.0.c", "1.2.0.a", "1.1.2", "1.1.0", "1.0", "0.9.1.1", "0.9.1", "0.9.0.5", "0.9.0.4", "0.9.0.3", "0.3.0", "0.2.2", "0.2.1", "0.2.0", "0.1.7", "0.1.5", "2.2.0", "2.2.1", "2.2.2", "3.0.0", "3.0.1", "3.0.2", "3.0.3", "2.2.3", "3.0.4", "3.0.5", "2.2.4", "3.0.6", "3.1.0", "3.2.0", "4.0.0"]
Secure versions: [4.0.1, 4.1.0, 4.1.1]
Recommendation: Update to version 4.1.1.

106 Other Versions

Version License Security Released
4.1.1 MIT 2024-11-20 - 15:49 7 months
4.1.0 MIT 2024-11-18 - 11:33 8 months
4.0.1 MIT 2025-05-23 - 22:18 about 1 month
4.0.0 MIT 2 2024-01-19 - 11:52 over 1 year
3.2.0 MIT 2 2023-12-29 - 17:56 over 1 year
3.1.0 MIT 2 2023-08-07 - 09:22 almost 2 years
3.0.6 MIT 2 2023-04-11 - 15:35 about 2 years
3.0.5 MIT 2 2022-12-16 - 23:13 over 2 years
3.0.4 MIT 2 2022-11-25 - 16:38 over 2 years
3.0.3 MIT 4 2022-11-11 - 19:42 over 2 years
3.0.2 MIT 4 2022-10-01 - 17:24 almost 3 years
3.0.1 MIT 4 2022-09-26 - 16:05 almost 3 years
3.0.0 MIT 4 2022-09-26 - 01:06 almost 3 years
2.2.4 MIT 2 2022-12-16 - 23:04 over 2 years
2.2.3 MIT 2 2022-11-25 - 20:30 over 2 years
2.2.2 MIT 3 2022-07-23 - 21:17 almost 3 years
2.2.1 MIT 3 2022-07-15 - 14:35 almost 3 years
2.2.0 MIT 3 2022-02-15 - 16:23 over 3 years
2.1.0 MIT 6 2020-09-04 - 18:51 almost 5 years
2.0.8.1 MIT 6 2020-01-01 - 20:06 over 5 years
2.0.8 MIT 6 2020-01-01 - 09:42 over 5 years
2.0.7 MIT 6 2019-08-22 - 10:04 almost 6 years
2.0.6 MIT 6 2019-08-21 - 17:01 almost 6 years
2.0.5 MIT 6 2018-12-22 - 11:11 over 6 years
2.0.4 MIT 6 2018-09-15 - 09:38 almost 7 years
2.0.3 MIT 6 2018-06-08 - 16:04 about 7 years
2.0.2 MIT 6 2018-06-05 - 16:54 about 7 years
2.0.1 MIT 8 2018-02-16 - 15:43 over 7 years
2.0.1.rc1 MIT 10 2018-02-13 - 11:12 over 7 years
2.0.0 MIT 10 2017-05-07 - 00:05 about 8 years
2.0.0.rc6 MIT 7 2017-05-06 - 23:59 about 8 years
2.0.0.rc5 MIT 7 2017-05-06 - 23:52 about 8 years
2.0.0.rc2 MIT 7 2017-03-19 - 03:34 over 8 years
2.0.0.rc1 MIT 7 2017-03-04 - 18:18 over 8 years
2.0.0.beta2 MIT 7 2016-08-22 - 17:01 almost 9 years
2.0.0.beta1 MIT 7 2016-08-22 - 15:17 almost 9 years
1.4.8 MIT 5 2017-01-30 - 03:31 over 8 years
1.4.7 MIT 5 2016-01-24 - 12:26 over 9 years
1.4.6 MIT 5 2015-03-24 - 02:42 over 10 years
1.4.5 MIT 5 2014-04-08 - 15:21 about 11 years
1.4.4 UNKNOWN 5 2013-10-21 - 10:12 over 11 years
1.4.3 UNKNOWN 5 2013-06-07 - 21:05 about 12 years
1.4.2 UNKNOWN 5 2013-03-21 - 09:08 over 12 years
1.4.1 UNKNOWN 5 2013-03-15 - 17:20 over 12 years
1.4.0 UNKNOWN 5 2013-03-15 - 11:28 over 12 years
1.4.0.c UNKNOWN 5 2013-02-26 - 23:19 over 12 years
1.4.0.d UNKNOWN 5 2013-03-09 - 17:17 over 12 years
1.4.0.b UNKNOWN 5 2013-02-26 - 13:58 over 12 years
1.4.0.a UNKNOWN 5 2013-02-26 - 07:01 over 12 years
1.3.6 UNKNOWN 5 2013-03-15 - 11:23 over 12 years