CVE-2022-45442
Reflected File Download (RFD) vulnerability in sinatra (RubyGems)
What is CVE-2022-45442 About?
This vulnerability in Sinatra versions before 2.2.3 and 3.0 before 3.0.4 is a Reflected File Download (RFD) attack. It allows an attacker to manipulate the 'Content-Disposition' header based on user-supplied input to trick browsers into downloading a malicious file with a trusted filename. This can easily lead to social engineering attacks and malware execution, making it a high-impact vulnerability that is relatively easy to exploit under specific circumstances.
Affected Software
- sinatra
- >=2.0.0, <2.2.3
- >=3.0, <3.0.4
Technical Details
The vulnerability is identified as a Reflected File Download (RFD) attack in Sinatra versions prior to 2.2.3 (for 2.0 series) and 3.0.4 (for 3.0 series). An RFD attack occurs when a web application reflects user-supplied input within the 'Content-Disposition' HTTP header, which controls the filename of a downloaded file. An attacker can craft a URL that includes malicious content. When a user accesses this URL, the Sinatra application, if it derives the filename in 'Content-Disposition' directly or predictably from unsanitized user input in the URL (e.g., query parameters or path segments), will serve the malicious content with a filename that appears trusted (e.g., 'document.exe' instead of 'document.txt.malicious'). This tricks the browser into downloading and potentially executing a malicious file, leveraging the user's trust in the website.
What is the Impact of CVE-2022-45442?
Successful exploitation may allow attackers to trick users into downloading and executing malicious files, leading to arbitrary code execution, system compromise, or data theft through social engineering attacks.
What is the Exploitability of CVE-2022-45442?
Exploitation of this RFD vulnerability is of moderate complexity, relying on the attacker's ability to craft a malicious URL and for the user to be tricked into clicking it. No authentication is required, and access is remote. The core requirement is that the Sinatra application dynamically generates the 'Content-Disposition' header using unsanitized user-supplied input. There are no specific special conditions other than the application using filename derivation from user input. The risk factors that increase exploitation likelihood include applications that frequently serve dynamic file downloads and a lack of robust input sanitization on parameters used in content disposition headers.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-45442?
Available Upgrade Options
- sinatra
- >=2.0.0, <2.2.3 → Upgrade to 2.2.3
- sinatra
- >=3.0, <3.0.4 → Upgrade to 3.0.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/sinatra/CVE-2022-45442.yml
- https://github.com/advisories/GHSA-8x94-hmjh-97hq
- https://lists.debian.org/debian-lts-announce/2023/01/msg00005.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-45442
- https://lists.debian.org/debian-lts-announce/2023/01/msg00005.html
- https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf
- https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf
- https://osv.dev/vulnerability/GHSA-2x8x-jmrp-phxw
- https://github.com/sinatra/sinatra/security/advisories/GHSA-2x8x-jmrp-phxw
- https://lists.debian.org/debian-lts-announce/2024/09/msg00020.html
What are Similar Vulnerabilities to CVE-2022-45442?
Similar Vulnerabilities: CVE-2014-8742 , CVE-2015-0902 , CVE-2016-0785 , CVE-2016-0786 , CVE-2016-5690
