CVE-2022-45442

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-45442

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-45442.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-45442

Aliases

GHSA-2x8x-jmrp-phxw

Downstream

DEBIAN-CVE-2022-45442

DLA-3264-1

DLA-3877-1

OESA-2024-2474

OESA-2024-2475

OESA-2024-2476

OESA-2024-2477

OESA-2024-2490

RHSA-2023:0393

RHSA-2023:0427

RHSA-2023:0506

RHSA-2023:0527

RHSA-2023:0855

RHSA-2023:0857

RHSA-2023:0974

UBUNTU-CVE-2022-45442

USN-7664-1

Related

Published

2022-11-28T00:00:00Z

Modified

2025-10-13T12:23:37.538092Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Sinatra vulnerable to Reflected File Download attack

Details

Sinatra is a domain-specific language for creating web applications in Ruby. An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input. Version 2.2.3 and 3.0.4 contain patches for this issue.

References

Affected packages

Git / github.com/sinatra/sinatra

Affected ranges

Type: GIT
Repo: https://github.com/sinatra/sinatra
Events: Introduced

815b69fe2510930de97a89f9318fcfa35165e96e

Fixed

eca7b54a64d1b64c4245c0f025e8dabb1cafde7c

Type: GIT
Repo: https://github.com/sinatra/sinatra
Events: Introduced

5de64980e0f0fe146d8b60ca3b009f183113e68b

Fixed

0bdb254b9a21aaef9eb24540f174318abefca2a2

Affected versions

v2.*

v2.0.0

v2.0.1

v2.0.1.rc1

v2.0.2

v2.0.3

v2.0.4

v2.0.5

v2.0.6

v2.0.7

v2.0.8

v2.0.8.1

v2.1.0

v2.2.1

v2.2.2

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.0.3