Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1tN3I2LTQzdjItNDl2Zs2t2Q

Mongrel vulnerable to directory traversal via double-encoded sequences

Directory traversal vulnerability in DirHandler (lib/mongrel/handlers.rb) in Mongrel 1.0.4 (1.0.3 and prior are not affected) and 1.1.x before 1.1.3 allows remote attackers to read arbitrary files via an HTTP request containing double-encoded sequences (.%252e).

Permalink: https://github.com/advisories/GHSA-m7r6-43v2-49vf
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tN3I2LTQzdjItNDl2Zs2t2Q
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: 2 months ago

Identifiers: GHSA-m7r6-43v2-49vf, CVE-2007-6612
References:

https://nvd.nist.gov/vuln/detail/CVE-2007-6612
https://lists.apple.com/archives/security-announce/2008//May/msg00001.html
https://web.archive.org/web/20080111034049/http://rubyforge.org/pipermail/mongrel-users/2007-December/004743.html
https://web.archive.org/web/20200301091534/http://www.securityfocus.com/bid/27133
https://github.com/advisories/GHSA-m7r6-43v2-49vf

Affected Packages

rubygems:mongrel

Versions: >= 1.1.0, < 1.1.3, = 1.0.4
Fixed in: 1.1.3, 1.0.5