Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1tN3I2LTQzdjItNDl2Zs2t2Q

Mongrel vulnerable to directory traversal via double-encoded sequences

Directory traversal vulnerability in DirHandler (lib/mongrel/handlers.rb) in Mongrel 1.0.4 (1.0.3 and prior are not affected) and 1.1.x before 1.1.3 allows remote attackers to read arbitrary files via an HTTP request containing double-encoded sequences (.%252e).

Permalink: https://github.com/advisories/GHSA-m7r6-43v2-49vf
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tN3I2LTQzdjItNDl2Zs2t2Q
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 10 months ago


Identifiers: GHSA-m7r6-43v2-49vf, CVE-2007-6612
References: Blast Radius: 0.0

Affected Packages

rubygems:mongrel
Dependent packages: 154
Dependent repositories: 1,869
Downloads: 2,087,318 total
Affected Version Ranges: >= 1.1.0, < 1.1.3, = 1.0.4
Fixed in: 1.1.3, 1.0.5
All affected versions: 1.0.4, 1.1.1, 1.1.2
All unaffected versions: 0.2.0, 0.2.1, 0.2.2, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.3.9, 0.3.10, 0.3.11, 0.3.12, 0.3.13, 1.0.1, 1.0.2, 1.0.3, 1.0.5, 1.1.3, 1.1.4, 1.1.5