Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tN3I2LTQzdjItNDl2Zs2t2Q
Mongrel vulnerable to directory traversal via double-encoded sequences
Directory traversal vulnerability in DirHandler (lib/mongrel/handlers.rb) in Mongrel 1.0.4 (1.0.3 and prior are not affected) and 1.1.x before 1.1.3 allows remote attackers to read arbitrary files via an HTTP request containing double-encoded sequences (.%252e).
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tN3I2LTQzdjItNDl2Zs2t2Q
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 8 months ago
Identifiers: GHSA-m7r6-43v2-49vf, CVE-2007-6612
References:
- https://nvd.nist.gov/vuln/detail/CVE-2007-6612
- https://lists.apple.com/archives/security-announce/2008//May/msg00001.html
- https://web.archive.org/web/20080111034049/http://rubyforge.org/pipermail/mongrel-users/2007-December/004743.html
- https://web.archive.org/web/20200301091534/http://www.securityfocus.com/bid/27133
- https://github.com/advisories/GHSA-m7r6-43v2-49vf
Affected Packages
rubygems:mongrel
Dependent packages: 154Dependent repositories: 1,869
Downloads: 2,084,346 total
Affected Version Ranges: >= 1.1.0, < 1.1.3, = 1.0.4
Fixed in: 1.1.3, 1.0.5
All affected versions: 1.0.4, 1.1.1, 1.1.2
All unaffected versions: 0.2.0, 0.2.1, 0.2.2, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.3.9, 0.3.10, 0.3.11, 0.3.12, 0.3.13, 1.0.1, 1.0.2, 1.0.3, 1.0.5, 1.1.3, 1.1.4, 1.1.5