sinatra-3.0.2.gem: 2 vulnerabilities (highest severity is: 8.8) #4
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
1 task
1 task
mend-for-github-com
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Sinatra is a DSL for quickly creating web applications in Ruby with minimal effort.
Library home page: https://rubygems.org/gems/sinatra-3.0.2.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /.7.0/cache/sinatra-3.0.2.gem
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - sinatra-3.0.2.gem
Sinatra is a DSL for quickly creating web applications in Ruby with minimal effort.
Library home page: https://rubygems.org/gems/sinatra-3.0.2.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /.7.0/cache/sinatra-3.0.2.gem
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Sinatra is a domain-specific language for creating web applications in Ruby. An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input. Version 2.2.3 and 3.0.4 contain patches for this issue.
Publish Date: 2022-11-28
URL: CVE-2022-45442
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.6%
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-2x8x-jmrp-phxw
Release Date: 2022-11-28
Fix Resolution: sinatra - 2.2.3,3.0.4
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - sinatra-3.0.2.gem
Sinatra is a DSL for quickly creating web applications in Ruby with minimal effort.
Library home page: https://rubygems.org/gems/sinatra-3.0.2.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /.7.0/cache/sinatra-3.0.2.gem
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header. When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbitrary address into this header. If used for caching purposes, such as with servers like Nginx, or as a reverse proxy, without handling the X-Forwarded-Host header, attackers can potentially exploit Cache Poisoning or Routing-based SSRF.
Publish Date: 2024-11-01
URL: CVE-2024-21510
Threat Assessment
Exploit Maturity: Proof of concept
EPSS: 0.0%
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-hxx2-7vcw-mqr3
Release Date: 2024-11-01
Fix Resolution: sinatra - 4.1.0
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
The text was updated successfully, but these errors were encountered: