sinatra-2.1.0.gem: 13 vulnerabilities (highest severity is: 10.0) #7
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
1 task
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
1 task
mend-for-github-com
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Sinatra is a DSL for quickly creating web applications in Ruby with minimal effort.
Library home page: https://rubygems.org/gems/sinatra-2.1.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /che/sinatra-2.1.0.gem
Found in HEAD commit: 9e80ef2568d1e0d9f52f4f6143251fe7d1a9a97d
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - rack-2.2.3.gem
Rack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.
Library home page: https://rubygems.org/gems/rack-2.2.3.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/rack-2.2.3.gem
Dependency Hierarchy:
Found in HEAD commit: 9e80ef2568d1e0d9f52f4f6143251fe7d1a9a97d
Found in base branch: main
Vulnerability Details
A sequence injection vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 which could allow is a possible shell escape in the Lint and CommonLogger components of Rack.
Publish Date: 2022-12-05
URL: CVE-2022-30123
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.9%
CVSS 3 Score Details (10.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-wq4h-7r42-5hrr
Release Date: 2022-12-05
Fix Resolution: rack - 2.0.9.1,2.1.4.1,2.2.3.1
Vulnerable Library - sinatra-2.1.0.gem
Sinatra is a DSL for quickly creating web applications in Ruby with minimal effort.
Library home page: https://rubygems.org/gems/sinatra-2.1.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /che/sinatra-2.1.0.gem
Dependency Hierarchy:
Found in HEAD commit: 9e80ef2568d1e0d9f52f4f6143251fe7d1a9a97d
Found in base branch: main
Vulnerability Details
Sinatra is a domain-specific language for creating web applications in Ruby. An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input. Version 2.2.3 and 3.0.4 contain patches for this issue.
Publish Date: 2022-11-28
URL: CVE-2022-45442
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.6%
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-2x8x-jmrp-phxw
Release Date: 2022-11-28
Fix Resolution: sinatra - 2.2.3,3.0.4
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - rack-2.2.3.gem
Rack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.
Library home page: https://rubygems.org/gems/rack-2.2.3.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/rack-2.2.3.gem
Dependency Hierarchy:
Found in HEAD commit: 9e80ef2568d1e0d9f52f4f6143251fe7d1a9a97d
Found in base branch: main
Vulnerability Details
A DoS vulnerability exists in Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and <v2.0.9.3 within in the Multipart MIME parsing code in which could allow an attacker to craft requests that can be abuse to cause multipart parsing to take longer than expected.
Publish Date: 2023-03-10
URL: CVE-2023-27530
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2023-03-10
Fix Resolution: rack - 2.0.9.3,2.1.4.3,2.2.6.3,3.0.4.2
Vulnerable Library - rack-2.2.3.gem
Rack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.
Library home page: https://rubygems.org/gems/rack-2.2.3.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/rack-2.2.3.gem
Dependency Hierarchy:
Found in HEAD commit: 9e80ef2568d1e0d9f52f4f6143251fe7d1a9a97d
Found in base branch: main
Vulnerability Details
A denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.
Publish Date: 2023-02-09
URL: CVE-2022-44572
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-rqv2-275x-2jq5
Release Date: 2023-02-09
Fix Resolution: rack - 2.0.9.2,2.1.4.2,2.2.6.2,3.0.4.1
Vulnerable Library - rack-2.2.3.gem
Rack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.
Library home page: https://rubygems.org/gems/rack-2.2.3.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/rack-2.2.3.gem
Dependency Hierarchy:
Found in HEAD commit: 9e80ef2568d1e0d9f52f4f6143251fe7d1a9a97d
Found in base branch: main
Vulnerability Details
There is a denial of service vulnerability in the Content-Disposition parsingcomponent of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1. This could allow an attacker to craft an input that can cause Content-Disposition header parsing in Rackto take an unexpected amount of time, possibly resulting in a denial ofservice attack vector. This header is used typically used in multipartparsing. Any applications that parse multipart posts using Rack (virtuallyall Rails applications) are impacted.
Publish Date: 2023-02-09
URL: CVE-2022-44571
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-93pm-5p5f-3ghx
Release Date: 2023-02-09
Fix Resolution: rack - 2.0.9.2,2.1.4.2,2.2.6.2,3.0.4.1
Vulnerable Library - rack-2.2.3.gem
Rack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.
Library home page: https://rubygems.org/gems/rack-2.2.3.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/rack-2.2.3.gem
Dependency Hierarchy:
Found in HEAD commit: 9e80ef2568d1e0d9f52f4f6143251fe7d1a9a97d
Found in base branch: main
Vulnerability Details
A denial of service vulnerability in the Range header parsing component of Rack >= 1.5.0. A Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that deal with Range requests (such as streaming applications, or applications that serve files) may be impacted.
Publish Date: 2023-02-09
URL: CVE-2022-44570
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-65f5-mfpf-vfhj
Release Date: 2023-02-09
Fix Resolution: rack - 2.0.9.2,2.1.4.2,2.2.6.2,3.0.4.1
Vulnerable Library - rack-2.2.3.gem
Rack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.
Library home page: https://rubygems.org/gems/rack-2.2.3.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/rack-2.2.3.gem
Dependency Hierarchy:
Found in HEAD commit: 9e80ef2568d1e0d9f52f4f6143251fe7d1a9a97d
Found in base branch: main
Vulnerability Details
A possible denial of service vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 in the multipart parsing component of Rack.
Publish Date: 2022-12-05
URL: CVE-2022-30122
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-hxqx-xwvh-44m2
Release Date: 2022-12-05
Fix Resolution: rack - 2.0.9.1,2.1.4.1,2.2.3.1
Vulnerable Library - sinatra-2.1.0.gem
Sinatra is a DSL for quickly creating web applications in Ruby with minimal effort.
Library home page: https://rubygems.org/gems/sinatra-2.1.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /che/sinatra-2.1.0.gem
Dependency Hierarchy:
Found in HEAD commit: 9e80ef2568d1e0d9f52f4f6143251fe7d1a9a97d
Found in base branch: main
Vulnerability Details
Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.
Publish Date: 2022-05-02
URL: CVE-2022-29970
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-qp49-3pvw-x4m5
Release Date: 2022-05-02
Fix Resolution: sinatra - 2.2.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - rack-2.2.3.gem
Rack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.
Library home page: https://rubygems.org/gems/rack-2.2.3.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/rack-2.2.3.gem
Dependency Hierarchy:
Found in HEAD commit: 9e80ef2568d1e0d9f52f4f6143251fe7d1a9a97d
Found in base branch: main
Vulnerability Details
Rack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the
Rack::Filemiddleware or theRack::Utils.byte_rangesmethods (this includes Rails applications). The vulnerability is fixed in 3.0.9.1 and 2.2.8.1.Publish Date: 2024-02-28
URL: CVE-2024-26141
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (5.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-26141
Release Date: 2024-02-28
Fix Resolution: rack - 2.2.8.1,3.0.9.1
Vulnerable Library - sinatra-2.1.0.gem
Sinatra is a DSL for quickly creating web applications in Ruby with minimal effort.
Library home page: https://rubygems.org/gems/sinatra-2.1.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /che/sinatra-2.1.0.gem
Dependency Hierarchy:
Found in HEAD commit: 9e80ef2568d1e0d9f52f4f6143251fe7d1a9a97d
Found in base branch: main
Vulnerability Details
Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header. When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbitrary address into this header. If used for caching purposes, such as with servers like Nginx, or as a reverse proxy, without handling the X-Forwarded-Host header, attackers can potentially exploit Cache Poisoning or Routing-based SSRF.
Publish Date: 2024-11-01
URL: CVE-2024-21510
Threat Assessment
Exploit Maturity: Proof of concept
EPSS: 0.0%
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-hxx2-7vcw-mqr3
Release Date: 2024-11-01
Fix Resolution: sinatra - 4.1.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - rack-2.2.3.gem
Rack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.
Library home page: https://rubygems.org/gems/rack-2.2.3.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/rack-2.2.3.gem
Dependency Hierarchy:
Found in HEAD commit: 9e80ef2568d1e0d9f52f4f6143251fe7d1a9a97d
Found in base branch: main
Vulnerability Details
Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This vulnerability is fixed in 2.0.9.4, 2.1.4.4, 2.2.8.1, and 3.0.9.1.
Publish Date: 2024-02-28
URL: CVE-2024-26146
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-26146
Release Date: 2024-02-28
Fix Resolution: rack - 2.0.9.4,2.1.4.4,2.2.8.1,3.0.9.1
Vulnerable Library - rack-2.2.3.gem
Rack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.
Library home page: https://rubygems.org/gems/rack-2.2.3.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/rack-2.2.3.gem
Dependency Hierarchy:
Found in HEAD commit: 9e80ef2568d1e0d9f52f4f6143251fe7d1a9a97d
Found in base branch: main
Vulnerability Details
Rack is a modular Ruby web server interface. Carefully crafted content type headers can cause Rack’s media type parser to take much longer than expected, leading to a possible denial of service vulnerability (ReDos 2nd degree polynomial). This vulnerability is patched in 3.0.9.1 and 2.2.8.1.
Publish Date: 2024-02-28
URL: CVE-2024-25126
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-22f2-v57c-j9cx
Release Date: 2024-02-28
Fix Resolution: rack - 2.2.8.1,3.0.9.1
Vulnerable Library - rack-2.2.3.gem
Rack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.
Library home page: https://rubygems.org/gems/rack-2.2.3.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/rack-2.2.3.gem
Dependency Hierarchy:
Found in HEAD commit: 9e80ef2568d1e0d9f52f4f6143251fe7d1a9a97d
Found in base branch: main
Vulnerability Details
There is a denial of service vulnerability in the header parsing component of Rack. Carefully crafted input can cause header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted. The issue is fixed versions 2.2.6.4 and 3.0.6.1
Publish Date: 2025-01-09
URL: CVE-2023-27539
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466
Release Date: 2025-01-09
Fix Resolution: rack - 2.2.6.4,3.0.6.1
⛑️Automatic Remediation will be attempted for this issue.
The text was updated successfully, but these errors were encountered: