CVE-2022-45442

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Sinatra versions 2.0 through 2.2.2 Sinatra versions 3.0 through 3.0.3

Description The issue is related to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input. This allows an attacker to execute arbitrary code. The vulnerability is associated with the loading of code without checking its integrity.

Recommendations For Sinatra versions 2.0 through 2.2.2, update to version 2.2.3 to resolve the issue. For Sinatra versions 3.0 through 3.0.3, update to version 3.0.4 to resolve the issue. As a temporary workaround, consider restricting the use of user-supplied input in the filename to minimize the risk of exploitation.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-494

Related Identifiers

ALSA-2023:0855

ALSA-2023:0974

ALSA-2023_0855

ALSA-2023_0974

BDU:2024-01888

BIT-DJANGO-2022-36359

CESA-2023_0855

CVE-2022-45442

DLA-3264-1

DLA-3877-1

GHSA-2X8X-JMRP-PHXW

GHSA-8X94-HMJH-97HQ

MGASA-2023-0029

OESA-2024-2474

OESA-2024-2475

OESA-2024-2476

OESA-2024-2477

OESA-2024-2490

PYSEC-2022-245

RHSA-2023:0393

RHSA-2023:0427

RHSA-2023:0506

RHSA-2023:0527

RHSA-2023:0855

RHSA-2023:0857

RHSA-2023:0974

RHSA-2023_0855

RHSA-2023_0974

RLSA-2023:0855

USN-7664-1

Affected Products

Almalinux

Astra Linux

Centos

Linuxmint

Red Hat

Red Os

Rocky Linux

Sinatra

Ubuntu

CVE-2022-45442

Weakness Enumeration

Related Identifiers

Affected Products

References · 74