PT-2021-7627 · Sinatra+8 · Sinatra+8

Published

2021-02-17

Updated

2025-08-25

CVE-2022-29970

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:C/I:N/A:N

Name of the Vulnerable Software and Affected Versions Sinatra versions prior to 2.2.0

Description The issue is related to insufficient path name restrictions in the Ruby Sinatra web application framework, allowing a remote attacker to access confidential data. The vulnerability occurs because Sinatra does not validate that the expanded path matches public dir when serving static files.

Recommendations For versions prior to 2.2.0, update to version 2.2.0 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive directories to minimize the risk of exploitation.

Exploit

Fix

Path traversal

Untrusted Search Path

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22CWE-426

Related Identifiers

ALSA-2022:4587

ALSA-2022:4661

ALSA-2022_4587

ALSA-2022_4661

BDU:2023-00294

CESA-2022_4661

CVE-2022-29970

DLA-3166-1

DLA-3877-1

GHSA-QP49-3PVW-X4M5

MGASA-2022-0280

RHSA-2022:2253

RHSA-2022:2255

RHSA-2022:2256

RHSA-2022:4587

RHSA-2022:4661

RHSA-2022:8506

RHSA-2022_4587

RHSA-2022_4661

RLSA-2022:4661

RLSA-2022:8506

SUSE-SU-2022:1729-1

SUSE-SU-2022:2046-1

USN-7664-1

Affected Products

Almalinux

Astra Linux

Centos

Linuxmint

Red Hat

Red Os

Rocky Linux

Sinatra

Ubuntu

PT-2021-7627 · Sinatra+8 · Sinatra+8

CVE-2022-29970

Weakness Enumeration

Related Identifiers

Affected Products

References · 364