Search for packages
| purl | pkg:gem/sinatra@3.0.3 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-k7su-xtsg-jyg9
Aliases: CVE-2022-45442 GHSA-2x8x-jmrp-phxw |
Sinatra vulnerable to Reflected File Download attack ### Description An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input. ### References * https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf * https://github.com/advisories/GHSA-8x94-hmjh-97hq |
Affected by 2 other vulnerabilities. |
|
VCID-tax5-a72w-mbhy
Aliases: CVE-2025-61921 GHSA-mr3q-g2mv-mr4q |
Sinatra is vulnerable to ReDoS through ETag header value generation There is a denial of service vulnerability in the `If-Match` and `If-None-Match` header parsing component of Sinatra, if the `etag` method is used when constructing the response and you are using Ruby < 3.2. |
Affected by 0 other vulnerabilities. |
|
VCID-vy9q-nvxx-yfh5
Aliases: CVE-2024-21510 GHSA-hxx2-7vcw-mqr3 |
Sinatra vulnerable to Reliance on Untrusted Inputs in a Security Decision Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header. When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbitrary address into this header. If used for caching purposes, such as with servers like Nginx, or as a reverse proxy, without handling the X-Forwarded-Host header, attackers can potentially exploit Cache Poisoning or Routing-based SSRF. |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||