{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"state":"PUBLISHED","cveId":"CVE-2022-45442","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","dateUpdated":"2025-11-04T16:09:56.861Z","dateReserved":"2022-11-15T00:00:00.000Z","datePublished":"2022-11-28T00:00:00.000Z"},"containers":{"cna":{"title":"Sinatra vulnerable to Reflected File Download attack","providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2023-01-10T00:00:00.000Z"},"descriptions":[{"lang":"en","value":"Sinatra is a domain-specific language for creating web applications in Ruby. An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input. Version 2.2.3 and 3.0.4 contain patches for this issue."}],"affected":[{"vendor":"sinatra","product":"sinatra","versions":[{"version":">= 3.0, < 3.0.4","status":"affected"},{"version":">= 2.0, < 2.2.3","status":"affected"}]}],"references":[{"url":"https://github.com/sinatra/sinatra/security/advisories/GHSA-2x8x-jmrp-phxw"},{"url":"https://github.com/sinatra/sinatra/commit/ea8fc9495a350f7551b39e3025bfcd06f49f363b"},{"url":"https://github.com/advisories/GHSA-8x94-hmjh-97hq"},{"url":"https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf"},{"name":"[debian-lts-announce] 20230110 [SECURITY] [DLA 3264-1] ruby-sinatra security update","tags":["mailing-list"],"url":"https://lists.debian.org/debian-lts-announce/2023/01/msg00005.html"}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"}}],"problemTypes":[{"descriptions":[{"type":"CWE","lang":"en","description":"CWE-494: Download of Code Without Integrity Check","cweId":"CWE-494"}]}],"source":{"advisory":"GHSA-2x8x-jmrp-phxw","discovery":"UNKNOWN"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://github.com/sinatra/sinatra/security/advisories/GHSA-2x8x-jmrp-phxw","tags":["x_transferred"]},{"url":"https://github.com/sinatra/sinatra/commit/ea8fc9495a350f7551b39e3025bfcd06f49f363b","tags":["x_transferred"]},{"url":"https://github.com/advisories/GHSA-8x94-hmjh-97hq","tags":["x_transferred"]},{"url":"https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf","tags":["x_transferred"]},{"name":"[debian-lts-announce] 20230110 [SECURITY] [DLA 3264-1] ruby-sinatra security update","tags":["mailing-list","x_transferred"],"url":"https://lists.debian.org/debian-lts-announce/2023/01/msg00005.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/09/msg00020.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-04T16:09:56.861Z"}},{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-04-22T15:40:06.476261Z","id":"CVE-2022-45442","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-04-22T15:59:32.565Z"}}]}}