Описание
Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.
A flaw was found in Sinatra when serving static files from the public directory. The requested path is not validated if it is in the public directory, allowing files outside of the public directory to be served.
Меры по смягчению последствий
Disable the static option which will disable the public_dir option. With this configuration, Sinatra will not serve files from the public directory and therefore files outside of it.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 7 | pcs | Affected | ||
| Red Hat Satellite 6 | tfm-ror51-rubygem-mustermann | Affected | ||
| Red Hat Satellite 6 | tfm-ror51-rubygem-rack-protection | Affected | ||
| Red Hat Satellite 6 | tfm-ror51-rubygem-sinatra | Affected | ||
| Red Hat Satellite 6 | tfm-ror52-rubygem-mustermann | Affected | ||
| Red Hat Satellite 6 | tfm-ror52-rubygem-rack-protection | Affected | ||
| Red Hat Satellite 6 | tfm-ror52-rubygem-sinatra | Affected | ||
| Red Hat Satellite 6 | tfm-rubygem-mustermann | Affected | ||
| Red Hat Satellite 6 | tfm-rubygem-rack-protection | Affected | ||
| Red Hat Satellite 6 | tfm-rubygem-sinatra | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.
Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.
Sinatra before 2.2.0 does not validate that the expanded path matches ...
sinatra does not validate expanded path matches
EPSS
7.5 High
CVSS3