CVE-2022-45442

Summary

Sinatra is a domain-specific language for creating web applications in Ruby. An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input. Version 2.2.3 and 3.0.4 contain patches for this issue.

Affected Software

VendorProductVersion RangeStatus
sinatrasinatra>= 3.0, < 3.0.4affected
sinatrasinatra>= 2.0, < 2.2.3affected

Weaknesses

  • CWE-494: CWE-494: Download of Code Without Integrity Check

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

References