MGASA-2023-0029 Updated ruby-sinatra packages fix security vulnerability

Potential reflected file download RFD vulnerability in ruby-sinatra, a Ruby library for writing HTTP applications. A Content-Disposition HTTP header was being incorrectly derived from a potentially user-supplied filename. CVE-2022-45442...

sinatra: Reflected File Download attack

A flaw was found in Sinatra, a domain-specific language for creating web applications in Ruby. An application is vulnerable to a reflected file download RFD attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input...

Regular Expression Denial of Service (ReDoS)

Overview rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between the so-called middleware into a singl...

Debian dla-3264 : ruby-rack-protection - security update

The remote Debian 10 host has packages installed that are affected by a vulnerability as referenced in the dla-3264 advisory. - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3264-1 [email protected] https://www.debian.org/lts/security/...

External Control of Assumed-Immutable Web Parameter

Overview Affected versions of this package are vulnerable to External Control of Assumed-Immutable Web Parameter due to improper escape of the " character in the generatemultipart function, which allows injecting malicious content to the filename parameter via the Content-Disposition header. PoC...

Resources Downloaded over Insecure Protocol

Overview Affected versions of this package are vulnerable to Resources Downloaded over Insecure Protocol due to improper validation of the Content-Disposition header when the filename was provided by the user. Exploiting this vulnerability results in a reflected file download RFD attack...

UBUNTU-CVE-2022-45442

Sinatra is a domain-specific language for creating web applications in Ruby. An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download RFD attack that sets the Content-Disposition header of a response when the filename is...

CVE-2022-45442 Sinatra vulnerable to Reflected File Download attack

Sinatra is a domain-specific language for creating web applications in Ruby. An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download RFD attack that sets the Content-Disposition header of a response when the filename is...

CVE-2022-45442

Sinatra is a domain-specific language for creating web applications in Ruby. An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download RFD attack that sets the Content-Disposition header of a response when the filename is...

DEBIAN-CVE-2022-36359

An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download RFD attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input...

PT-2022-7277 · Sinatra +8 · Sinatra +8

Name of the Vulnerable Software and Affected Versions: Sinatra versions 2.0 through 2.2.2 Sinatra versions 3.0 through 3.0.3 Description: The issue is related to a reflected file download RFD attack that sets the Content-Disposition header of a response when the filename is derived from...

Security Bulletin: Pip as used by IBM QRadar Advisor With Watson is vulnerable to multiple vulnerabilities (CVE-2019-20916, CVE-2021-3572, CVE-2018-20225)

Summary Pip as used by IBM QRadar Advisor With Watson to manage python packages is vulnerable to multiple vulnerabilities. IBM QRadar Advisor With Watson has addressed the applicable CVEs by updating pip. Vulnerability Details CVEID: CVE-2019-20916 DESCRIPTION: pypa pip package for python could...

GHSA-7JJR-3R8R-9PCF Trac missing Content-Disposition HTTP header

Trac before 0.10.3.1 does not send a Content-Disposition HTTP header specifying an attachment in certain "unsafe" situations, which has unknown impact and remote attack vectors...

Spark Information Disclosure Vulnerability (CNVD-2021-37593)

Spark is a public domain FHIR server developed using C. A security vulnerability exists in versions prior to Firely/Incendi Spark 1.5.5-r4, which stems from the lack of a Content-Disposition header in some cases, which could result in carefully crafted files being delivered to the client to be...

Firely/Incendi Spark 安全漏洞

Spark is a public domain FHIR server developed using C. A security vulnerability exists in versions prior to Firely/Incendi Spark 1.5.5-r4, which stems from the lack of a Content-Disposition header in some cases, which could result in carefully crafted files being delivered to the client to be...

CVE-2021-27132

SerComm AG Combo VD625 AGSOT2.1.0 devices allow CRLF injection for HTTP header injection in the download function via the Content-Disposition header...

CVE-2021-27132

SerComm AG Combo VD625 AGSOT2.1.0 devices allow CRLF injection for HTTP header injection in the download function via the Content-Disposition header...

OX App Suite Cross-Site Scripting Vulnerability (CNVD-2021-03040)

OX App Suite is a modular platform designed for telcos, hosting companies and vendors to deliver a wide range of cloud-based services. A cross-site scripting vulnerability exists in OX App Suite 7.10.4. An attacker can exploit this vulnerability via a specially crafted Content-Disposition header ...

CVE-2021-23929

OX App Suite through 7.10.4 allows XSS via a crafted Content-Disposition header in an uploaded HTML document to an ajax/share/?delivery=view URI...

python-pip: directory traversal in _download_http_url() function in src/pip/_internal/download.py

A flaw was found in the pip package installer for Python when downloading or installing a remote package via a specified URL. Improper validation of the "Content-Disposition" HTTP response header makes a path traversal attack possible, leading to an arbitrary file overwrite. This flaw allows an...