Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.
{ "ubuntu_priority": "medium" }
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "ruby-rack-protection": "3.0.5-3", "ruby-sinatra": "3.0.5-3", "ruby-sinatra-contrib": "3.0.5-3" } ] }