Bug 2081096 (CVE-2022-29970)
Summary: | CVE-2022-29970 sinatra: path traversal possible outside of public_dir when serving static files | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Todd Cullum <tcullum> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | bbuckingham, bcourt, btotty, caswilli, cfeist, cluster-maint, ehelms, idevat, jaruga, jsherril, kaycoth, kmalyjur, lkundrak, lzap, mhulan, mlisik, mmccune, mpospisi, myarboro, nmoumoul, omular, orabin, pcreech, rchan, ruby-packagers-sig, tojeline, valtri, vondruch |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | sinatra 2.2.0 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in Sinatra when serving static files from the public directory. The requested path is not validated if it is in the public directory, allowing files outside of the public directory to be served.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-05-18 19:33:19 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2081138, 2081139, 2081142, 2081327, 2081328, 2081329, 2081330, 2081331, 2081332, 2081333, 2081334, 2081335, 2082104, 2082105, 2082106, 2082107, 2082108, 2082109, 2082110, 2082111, 2082112, 2082113, 2082114, 2082115, 2082116, 2082117, 2082118, 2082119, 2082120, 2082121, 2082122, 2082123 | ||
Bug Blocks: | 2081098 |
Description
Todd Cullum
2022-05-02 18:15:30 UTC
Created rubygem-sinatra tracking bugs for this issue: Affects: epel-all [bug 2081138] Affects: fedora-all [bug 2081139] This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2022:2255 https://access.redhat.com/errata/RHSA-2022:2255 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:2253 https://access.redhat.com/errata/RHSA-2022:2253 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:2256 https://access.redhat.com/errata/RHSA-2022:2256 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:4587 https://access.redhat.com/errata/RHSA-2022:4587 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:4661 https://access.redhat.com/errata/RHSA-2022:4661 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-29970 This issue has been addressed in the following products: Red Hat Satellite 6.12 for RHEL 8 Via RHSA-2022:8506 https://access.redhat.com/errata/RHSA-2022:8506 |