QwikSec

Security Database

CVE

CWE

Training

CVE-2022-45442

Published: Nov 28, 2022

Modified: Nov 4, 2025

PUBLISHED

CVSS v3.1

8.8

HIGH

Description

Sinatra is a domain-specific language for creating web applications in Ruby. An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input. Version 2.2.3 and 3.0.4 contain patches for this issue.

Vendor	Product	Versions
sinatra	sinatra	affected `>= 3.0, < 3.0.4` affected `>= 2.0, < 2.2.3`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/sinatra/sinatra/security/advisories/GHSA-2x8x-jmrp-phxw

https://github.com/sinatra/sinatra/commit/ea8fc9495a350f7551b39e3025bfcd06f49f363b

https://github.com/advisories/GHSA-8x94-hmjh-97hq

https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf

[debian-lts-announce] 20230110 [SECURITY] [DLA 3264-1] ruby-sinatra security update

mailing-list

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.