Lucene search

K

[email protected]NVD:CVE-2022-45442

HistoryNov 28, 2022 - 9:15 p.m.

CVE-2022-45442

2022-11-2821:15:10

CWE-494

[email protected]

web.nvd.nist.gov

1

sinatra

ruby

reflected file download

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.003 Low

EPSS

Percentile

70.2%

Sinatra is a domain-specific language for creating web applications in Ruby. An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input. Version 2.2.3 and 3.0.4 contain patches for this issue.

Affected configurations

NVD

Node

sinatrarbsinatraRange2.0.0–2.2.3

OR

sinatrarbsinatraRange3.0.0–3.0.4

Node

debiandebian_linuxMatch10.0

References

github.com/advisories/GHSA-8x94-hmjh-97hq

github.com/sinatra/sinatra/commit/ea8fc9495a350f7551b39e3025bfcd06f49f363b

github.com/sinatra/sinatra/security/advisories/GHSA-2x8x-jmrp-phxw

lists.debian.org/debian-lts-announce/2023/01/msg00005.html

www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.003 Low

EPSS

Percentile

70.2%

Related for NVD:CVE-2022-45442

nessus14 redhat7 almalinux2 veracode1 prion1 debiancve1 cvelist1 rocky1 osv10 openvas2 redos1 github1 redhatcve1 oraclelinux2 mageia1 cve1 debian1 ubuntucve1