CVE-2022-45442 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.8 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
GitHub_M	CNA	8.8 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 35%

Vendor	Product	Version
sinatrarb	sinatra	2.0.0 ≤ 𝑥 < 2.2.3
sinatrarb	sinatra	3.0.0 ≤ 𝑥 < 3.0.4
debian	debian_linux	10.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

ruby-sinatra

bullseye	vulnerable
bullseye (security)	2.0.8.1-2+deb11u1 fixed
bookworm	3.0.5-3 fixed
sid	3.2.0-1 fixed
trixie	3.2.0-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

ruby-sinatra

noble	not-affected
mantic	not-affected
lunar	not-affected
kinetic	ignored
jammy	needed
focal	needed
bionic	needed
xenial	needs-triage
trusty	ignored

Known Exploits!

Common Weakness Enumeration

CWE-494 - Download of Code Without Integrity Check
The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.

References

https://github.com/advisories/GHSA-8x94-hmjh-97hq

https://github.com/sinatra/sinatra/commit/ea8fc9495a350f7551b39e3025bfcd06f49f363b

https://github.com/sinatra/sinatra/security/advisories/GHSA-2x8x-jmrp-phxw

https://lists.debian.org/debian-lts-announce/2023/01/msg00005.html

https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf

https://github.com/advisories/GHSA-8x94-hmjh-97hq

https://github.com/sinatra/sinatra/commit/ea8fc9495a350f7551b39e3025bfcd06f49f363b

https://github.com/sinatra/sinatra/security/advisories/GHSA-2x8x-jmrp-phxw

https://lists.debian.org/debian-lts-announce/2023/01/msg00005.html

https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf