Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3877 advisory.

    -------------------------------------------------------------------------     Debian LTS Advisory DLA-3877-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                   Jochen Sprickerhof     September 05, 2024                            https://wiki.debian.org/LTS
    -------------------------------------------------------------------------

    Package        : ruby-sinatra     Version        : 2.0.8.1-2+deb11u1     CVE ID         : CVE-2022-29970 CVE-2022-45442     Debian Bug     : 1014717 1070953

    Sinatra is an open source web framework for Ruby programming language.

    CVE-2022-29970

        A file traversal vulnerability was discovered. We now validate that         any expanded paths match the allowed `public_dir` when serving         static files.

    CVE-2022-45442

        It was discovered that there was a potential reflected file download         (RFD) vulnerability. A Content-Disposition HTTP header was being         incorrectly derived from a potentially user-supplied filename.

    For Debian 11 bullseye, these problems have been fixed in version     2.0.8.1-2+deb11u1.

    We recommend that you upgrade your ruby-sinatra packages.

    For the detailed security status of ruby-sinatra please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/ruby-sinatra

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS     Attachment:
    signature.asc     Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:8506 advisory.

    Red Hat Satellite is a systems management tool for Linux-based     infrastructure. It allows for provisioning, remote management, and     monitoring of multiple Linux deployments with a single centralized tool.

    Security Fix(es):
    * netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data (CVE-2021-37136)
    * netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an     unnecessary way (CVE-2021-37137)
    * python3-django: Possible XSS via template tag (CVE-2022-22818)
    * tfm-rubygem-nokogiri: ReDoS in HTML encoding detection (CVE-2022-24836)
    * tfm-rubygem-sinatra: Path traversal possible outside of public_dir when serving static files     (CVE-2022-29970)
    * tfm-rubygem-git: Package vulnerable to Command Injection via git argument injection (CVE-2022-25648)
    * rubygem-rails-html-sanitizer: Possible XSS with certain configurations (CVE-2022-32209)
    * python3-django: Potential SQL injection via Trunc and Extract arguments (CVE-2022-34265)

    For more details about the security issue(s), including the impact, a CVSS     score, acknowledgments, and other related information, refer to the CVE     page(s) listed in the References section.

    Additional Changes:

    The items above are not a complete list of changes. This update also fixes     several bugs and adds various enhancements. Documentation for these changes     is available from the Release Notes document.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2022:8506 advisory.

  - The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed     output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are     affected. The malicious input can trigger an OOME and so a DoS attack (CVE-2021-37136)

  - The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory     usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which     may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious     input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable     chunk. (CVE-2021-37137)

  - The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not     properly encode the current context. This may lead to XSS. (CVE-2022-22818)

  - Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient     regular expression that is susceptible to excessive backtracking when attempting to detect encoding in     HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for     this issue. (CVE-2022-24836)

  - The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling     the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch     subcommand in a way that additional flags can be set. The additional flags can be used to perform a     command injection. (CVE-2022-25648)

  - Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static     files. (CVE-2022-29970)

  - # Possible XSS Vulnerability in Rails::Html::SanitizerThere is a possible XSS vulnerability with certain     configurations of Rails::Html::Sanitizer.This vulnerability has been assigned the CVE identifier     CVE-2022-32209.Versions Affected: ALLNot affected: NONEFixed Versions: v1.4.3## ImpactA possible XSS     vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject     content if the application developer has overridden the sanitizer's allowed tags to allow both `select`     and `style` elements.Code is only impacted if allowed tags are being overridden. This may be done via     application configuration:```ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags =     [select, style]```see https://guides.rubyonrails.org/configuring.html#configuring-action-viewOr it may     be done with a `:tags` option to the Action View helper `sanitize`:```<%= sanitize @comment.body, tags:
    [select, style] %>```see     https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitizeOr it may be     done with Rails::Html::SafeListSanitizer directly:```ruby# class-level     optionRails::Html::SafeListSanitizer.allowed_tags = [select, style]```or```ruby# instance-level     optionRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: [select, style])```All users     overriding the allowed tags by any of the above mechanisms to include both select and style should     either upgrade or use one of the workarounds immediately.## ReleasesThe FIXED releases are available at     the normal locations.## WorkaroundsRemove either `select` or `style` from the overridden allowed tags.##     CreditsThis vulnerability was responsibly reported by     [windshock](https://hackerone.com/windshock?type=user). (CVE-2022-32209)

  - An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract()     database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value.
    Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
    (CVE-2022-34265)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 9 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2022:4587 advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by a vulnerability as referenced in the dla-3166 advisory.

  - Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static     files. (CVE-2022-29970)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2022:4587 advisory.

    The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.

    Security Fix(es):

    * sinatra: path traversal possible outside of public_dir when serving static files (CVE-2022-29970)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Rocky Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2022:4661 advisory.

  - Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static     files. (CVE-2022-29970)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 9 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2022-9513 advisory.

    [0.11.1-10.el9_0.1]
    - Updated bundled rubygems: sinatra, rack-protection
    - Resolves: rhbz#2081333

    [0.11.1-10]
    - Fixed snmp client
    - Fixed translating resource roles in colocation constraint
    - Resolves: rhbz#2048640

    [0.11.1-9]
    - Fixed cluster destroy in web ui
    - Fixed covscan issue in web ui
    - Resolves: rhbz#2044409

    [0.11.1-8]
    - Fixed 'pcs resource move' command
    - Fixed removing of unavailable fence-scsi storage device
    - Fixed ocf validation of ocf linbit drdb agent
    - Fixed creating empty cib
    - Updated pcs-web-ui
    - Resolves: rhbz#1990787 rhbz#2033248 rhbz#2039883 rhbz#2040420

    [0.11.1-7]
    - Fixed enabling corosync-qdevice
    - Fixed resource update command when unable to get agent metadata
    - Fixed revert of disallowing to clone a group with a stonith
    - Resolves: rhbz#1811072 rhbz#2019836 rhbz#2032473

    [0.11.1-6]
    - Rebased to latest upstream sources (see CHANGELOG.md)
    - Updated pcs web ui
    - Resolves: rhbz#1990787 rhbz#1997019 rhbz#2012129 rhbz#2024542 rhbz#2027678 rhbz#2027679

    [0.11.1-5]
    - Rebased to latest upstream sources (see CHANGELOG.md)
    - Resolves: rhbz#1990787 rhbz#2018969 rhbz#2019836 rhbz#2023752 rhbz#2012129

    [0.11.1-4]
    - Rebased to latest upstream sources (see CHANGELOG.md)
    - Updated pcs web ui
    - Enabled wui patching
    - Resolves: rhbz#1811072 rhbz#1945305 rhbz#1997019 rhbz#2012129

    [0.11.1-1]
    - Rebased to latest upstream sources (see CHANGELOG.md)
    - Resolves: rhbz#1283805 rhbz#1910644 rhbz#1910645  rhbz#1956703 rhbz#1956706 rhbz#1985981 rhbz#1991957     rhbz#1996062 rhbz#1996067

    [0.11.0.alpha.1-1]
    - Rebased to latest upstream sources (see CHANGELOG.md)
    - Updated pcs web ui
    - Resolves: rhbz#1283805 rhbz#1910644 rhbz#1910645 rhbz#1985981 rhbz#1991957 rhbz#1996067

    [0.10.9-2]
    - Rebuilt for libffi 3.4.2 SONAME transition.
      Related: rhbz#1891914

    [0.10.9-1]
    - Rebased to latest upstream sources (see CHANGELOG.md)
    - Resolves: rhbz#1991957

    [0.10.8-11]
    - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags       Related: rhbz#1991688

    [0.10.8-10]
    - Rebased to latest upstream sources (see CHANGELOG.md)
    - Fixed web-ui build
    - Fixed tests for pacemaker 2.1
    - Resolves: rhbz#1975440 rhbz#1922302

    [0.10.8-9]
    - Rebuilt for RHEL 9 BETA for openssl 3.0       Related: rhbz#1971065

    [0.10.8-8]
    - Rebuild with fixed gaiting tests
    - Stopped bundling rubygem-json (use distribution package instead)
    - Fixed patches
    - Resolves: rhbz#1881064

    [0.10.8-7]
    - Fixed License tag
    - Rebuild with fixed dependency for gating tier0 tests
    - Resolves: rhbz#1881064

    [0.10.8-6]
    - Rebased to latest upstream sources (see CHANGELOG.md)
    - Removed clufter related commands
    - Resolves: rhbz#1881064

    [0.10.8-5]
    - Updated pcs web ui node modules
    - Fixed build issue on low memory build hosts
    - Resolves: rhbz#1951272

    [0.10.8-4]
    - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937

    [0.10.8-3]
    - Replace pyOpenSSL with python-cryptography
    - Resolves: rhbz#1927404

    [0.10.8-2]
    - Bundle rubygem depedencies and python3-tornado
    - Resolves: rhbz#1929710

    [0.10.8-1]
    - Rebased to latest upstream sources (see CHANGELOG.md)
    - Updated pcs-web-ui
    - Updated bundled python dependency: dacite
    - Changed BuildRequires from git to git-core
    - Added conditional (Build)Requires: rubygem(rexml)
    - Added conditional Requires: rubygem(webrick)

    [0.10.7-4]
    - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild

    [0.10.7-3]
    - Rebuilt for https://fedoraproject.org/wiki/Changes/Ruby_3.0

    [0.10.7-2]
    - Python 3.10 related fix

    [0.10.7-1]
    - Rebased to latest upstream sources (see CHANGELOG.md)
    - Added dependency on python packages pyparsing and dateutil
    - Fixed virtual bundle provides for ember, handelbars, jquery and jquery-ui
    - Removed dependency on python3-clufter

    [0.10.6-2]
    - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild

    [0.10.6-1]
    - Rebased to latest upstream sources (see CHANGELOG.md)
    - Updated pcs-web-ui
    - Stopped bundling tornado (use distribution package instead)
    - Stopped bundling rubygem-tilt (use distribution package instead)
    - Removed rubygem bundling
    - Removed unneeded BuildRequires: execstack, gcc, gcc-c++
    - Excluded some tests for tornado daemon

    [0.10.5-8]
    - Use make macros
    - https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro

    [0.10.5-7]
    - Use fixed upstream version of dacite with Python 3.9 support
    - Split upstream tests in gating into tiers

    [0.10.5-6]
    - Use patched version of dacite compatible with Python 3.9
    - Resolves: rhbz#1838327

    [0.10.5-5]
    - Rebuilt for Python 3.9

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 8 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2022:4661 advisory.

  - Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static     files. (CVE-2022-29970)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2022-9416 advisory.

    [0.10.12-6.0.1.el8_6.1]
    - Replace HAM-logo.png with a generic one

    [0.10.12-6.el8_6.1]
    - Updated bundled rubygems: sinatra, rack-protection
    - Resolves: rhbz#2081331

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2022:4661 advisory.

    The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.

    Security Fix(es):

    * sinatra: path traversal possible outside of public_dir when serving static files (CVE-2022-29970)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2022:2255 advisory.

    The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.

    Security Fix(es):

    * sinatra: path traversal possible outside of public_dir when serving static files (CVE-2022-29970)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2022:2253 advisory.

    The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.

    Security Fix(es):

    * sinatra: path traversal possible outside of public_dir when serving static files (CVE-2022-29970)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2022:2256 advisory.

    The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.

    Security Fix(es):

    * sinatra: path traversal possible outside of public_dir when serving static files (CVE-2022-29970)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
206670	Debian dla-3877 : ruby-rack-protection - security update	Nessus	Debian Local Security Checks	high
194188	RHEL 8 : Satellite 6.12 Release (Important) (RHSA-2022:8506)	Nessus	Red Hat Local Security Checks	critical
184617	Rocky Linux 8 : Satellite 6.12 Release (Important) (RLSA-2022:8506)	Nessus	Rocky Linux Local Security Checks	critical
167659	AlmaLinux 9 : pcs (ALSA-2022:4587)	Nessus	Alma Linux Local Security Checks	high
166676	Debian DLA-3166-1 : ruby-sinatra - LTS security update	Nessus	Debian Local Security Checks	high
164845	RHEL 9 : pcs (RHSA-2022:4587)	Nessus	Red Hat Local Security Checks	high
162846	Rocky Linux 8 : pcs (RLSA-2022:4661)	Nessus	Rocky Linux Local Security Checks	high
162813	Oracle Linux 9 : pcs (ELSA-2022-9513)	Nessus	Oracle Linux Local Security Checks	high
161482	AlmaLinux 8 : pcs (ALSA-2022:4661)	Nessus	Alma Linux Local Security Checks	high
161399	Oracle Linux 8 : pcs (ELSA-2022-9416)	Nessus	Oracle Linux Local Security Checks	high
161366	RHEL 8 : pcs (RHSA-2022:4661)	Nessus	Red Hat Local Security Checks	high
161240	RHEL 8 : pcs (RHSA-2022:2255)	Nessus	Red Hat Local Security Checks	high
161216	RHEL 8 : pcs (RHSA-2022:2253)	Nessus	Red Hat Local Security Checks	high
161215	RHEL 8 : pcs (RHSA-2022:2256)	Nessus	Red Hat Local Security Checks	high

Detections

Analytics

CVE-2022-29970

high

Tenable Plugins

high

critical

critical

high

high

high

high

high

high

high

high

high

high

high