Sync with GitHub Security Advisories

reedloden · reedloden · commit 2a00cfa4d26b · 2022-12-12T00:19:38.000-08:00
* Add CVE-2022-45442 for sinatra * Add CVSSv3 score for several advisories
diff --git a/gems/activerecord/CVE-2022-32224.yml b/gems/activerecord/CVE-2022-32224.yml
@@ -70,6 +70,7 @@ description: |
   -----------
   There are no feasible workarounds for this issue, but other coders (such as
   JSON) are not impacted.
+cvss_v3: 9.8
 patched_versions:
 - "~> 5.2.8, >= 5.2.8.1"
 - "~> 6.0.5, >= 6.0.5.1"
diff --git a/gems/rack/CVE-2022-30122.yml b/gems/rack/CVE-2022-30122.yml
@@ -38,6 +38,7 @@ description: |
 
   ## Workarounds
   There are no feasible workarounds for this issue.
+cvss_v3: 7.5
 unaffected_versions:
 - "< 1.2"
 patched_versions:
diff --git a/gems/rack/CVE-2022-30123.yml b/gems/rack/CVE-2022-30123.yml
@@ -38,6 +38,7 @@ description: |
 
   ## Workarounds
   Remove these middleware from your application
+cvss_v3: 10.0
 patched_versions:
 - "~> 2.0.9, >= 2.0.9.1"
 - "~> 2.1.4, >= 2.1.4.1"
diff --git a/gems/sinatra/CVE-2022-45442.yml b/gems/sinatra/CVE-2022-45442.yml
@@ -0,0 +1,22 @@
+---
+gem: sinatra
+cve: 2022-45442
+ghsa: 2x8x-jmrp-phxw
+url: https://github.com/sinatra/sinatra/security/advisories/GHSA-2x8x-jmrp-phxw
+title: Sinatra vulnerable to Reflected File Download attack
+date: 2022-11-30
+description: |
+  An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4.
+  An application is vulnerable to a reflected file download (RFD) attack that
+  sets the Content-Disposition header of a response when the filename is
+  derived from user-supplied input.
+cvss_v3: 8.8
+patched_versions:
+- "~> 2.2.3"
+- ">= 3.0.4"
+related:
+  url:
+  - https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf
+  - https://github.com/sinatra/sinatra/commit/ea8fc9495a350f7551b39e3025bfcd06f49f363b
+  ghsa:
+  - 8x94-hmjh-97hq
