CVE-2022-45442

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2022-45442
Sinatra is a domain-specific language for creating web applications in Ruby. An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input. Version 2.2.3 and 3.0.4 contain patches for this issue.

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/advisories/GHSA-8x94-hmjh-97hq Not Applicable
https://github.com/sinatra/sinatra/commit/ea8fc9495a350f7551b39e3025bfcd06f49f363b Patch Third Party Advisory
https://github.com/sinatra/sinatra/security/advisories/GHSA-2x8x-jmrp-phxw Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/01/msg00005.html Mailing List Third Party Advisory
https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf Exploit Third Party Advisory
https://github.com/advisories/GHSA-8x94-hmjh-97hq Not Applicable
https://github.com/sinatra/sinatra/commit/ea8fc9495a350f7551b39e3025bfcd06f49f363b Patch Third Party Advisory
https://github.com/sinatra/sinatra/security/advisories/GHSA-2x8x-jmrp-phxw Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/01/msg00005.html Mailing List Third Party Advisory
https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:sinatrarb:sinatra:*:*:*:*:*:*:*:*
cpe:2.3:a:sinatrarb:sinatra:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
History

21 Nov 2024, 07:29

Type Values Removed Values Added
References () https://github.com/advisories/GHSA-8x94-hmjh-97hq - Not Applicable () https://github.com/advisories/GHSA-8x94-hmjh-97hq - Not Applicable
References () https://github.com/sinatra/sinatra/commit/ea8fc9495a350f7551b39e3025bfcd06f49f363b - Patch, Third Party Advisory () https://github.com/sinatra/sinatra/commit/ea8fc9495a350f7551b39e3025bfcd06f49f363b - Patch, Third Party Advisory
References () https://github.com/sinatra/sinatra/security/advisories/GHSA-2x8x-jmrp-phxw - Third Party Advisory () https://github.com/sinatra/sinatra/security/advisories/GHSA-2x8x-jmrp-phxw - Third Party Advisory
References () https://lists.debian.org/debian-lts-announce/2023/01/msg00005.html - Mailing List, Third Party Advisory () https://lists.debian.org/debian-lts-announce/2023/01/msg00005.html - Mailing List, Third Party Advisory
References () https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf - Exploit, Third Party Advisory () https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf - Exploit, Third Party Advisory
Information

Published : 2022-11-28 21:15

Updated : 2024-11-21 07:29

NVD link : CVE-2022-45442

Mitre link : CVE-2022-45442

CVE.ORG link : CVE-2022-45442

JSON object : View

Products Affected

debian

  • debian_linux

sinatrarb

  • sinatra
CWE
CWE-494

Download of Code Without Integrity Check


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024