Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "binary_version": "3.0.5-3", "binary_name": "ruby-rack-protection" }, { "binary_version": "3.0.5-3", "binary_name": "ruby-sinatra" }, { "binary_version": "3.0.5-3", "binary_name": "ruby-sinatra-contrib" } ] }