GHSA-2x8x-jmrp-phxw

Опубликовано: 30 нояб. 2022

Источник: github

Github: Прошло ревью

CVSS3: 8.8

Описание

Sinatra vulnerable to Reflected File Download attack

Description

An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input.

References

Ссылки

Пакеты

Наименование

sinatra

rubygems

Затронутые версииВерсия исправления

>= 3.0, < 3.0.4

3.0.4

Наименование

sinatra

rubygems

Затронутые версииВерсия исправления

>= 2.0.0, < 2.2.3

2.2.3

EPSS

Процентиль: 35%

0.00142

Низкий

8.8 High

CVSS3

CVE ID

CVE-2022-45442

Дефекты

CWE-494

Связанные уязвимости

CVE-2022-45442

CVSS3: 8.8

ubuntu

почти 3 года назад

Sinatra is a domain-specific language for creating web applications in Ruby. An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input. Version 2.2.3 and 3.0.4 contain patches for this issue.