See on RubyGems

sinatra 2.0.1

3 security vulnerabilities found in version 2.0.1

Sinatra vulnerable to Reflected File Download attack

high severity CVE-2022-45442
high severity CVE-2022-45442
Patched versions: ~> 2.2.3, >= 3.0.4

An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input.

sinatra does not validate expanded path matches

high severity CVE-2022-29970
high severity CVE-2022-29970
Patched versions: >= 2.2.0

Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.

XSS via the 400 Bad Request page

medium severity CVE-2018-11627
medium severity CVE-2018-11627
Patched versions: >= 2.0.2
Unaffected versions: < 2.0.0.beta1, = 2.0.0.pre.alpha

Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a params parser exception.

No officially reported memory leakage issues detected.

This gem version does not have any officially reported memory leaked issues.

No license issues detected.

This gem version has a license in the gemspec.

This gem version is available.

This gem version has not been yanked and is still available for usage.