vulnerability
Ubuntu: USN-7664-1 (CVE-2022-45442): Sinatra vulnerabilities
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 9 | (AV:N/AC:M/Au:N/C:C/I:C/A:C) | Nov 28, 2022 | Jun 26, 2025 | Aug 18, 2025 |
Severity
9
CVSS
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
Published
Nov 28, 2022
Added
Jun 26, 2025
Modified
Aug 18, 2025
Description
Sinatra is a domain-specific language for creating web applications in Ruby. An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input. Version 2.2.3 and 3.0.4 contain patches for this issue.
Solution
ubuntu-pro-upgrade-ruby-sinatra
References
- CVE-2022-45442
- https://attackerkb.com/topics/CVE-2022-45442
- CWE-494
- UBUNTU-USN-7664-1
- URL-https://github.com/advisories/GHSA-8x94-hmjh-97hq
- URL-https://github.com/sinatra/sinatra/commit/ea8fc9495a350f7551b39e3025bfcd06f49f363b
- URL-https://github.com/sinatra/sinatra/security/advisories/GHSA-2x8x-jmrp-phxw
- URL-https://ubuntu.com/security/notices/USN-7664-1
- URL-https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf
- URL-https://www.cve.org/CVERecord?id=CVE-2022-45442
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.