ADVISORIES

• CVE-2007-6612 (NVD)
• GHSA-m7r6-43v2-49vf

GEM

mongrel

SEVERITY

CVSS v2.0: 6.4 (Medium)

UNAFFECTED VERSIONS

• < 1.0.4

PATCHED VERSIONS

• ~> 1.0.5
• >= 1.1.3

DESCRIPTION

Directory traversal vulnerability in DirHandler (lib/mongrel/handlers.rb) in Mongrel 1.0.4 (1.0.3 and prior are not affected) and 1.1.x before 1.1.3 allows remote attackers to read arbitrary files via an HTTP request containing double-encoded sequences (.%252e).

RELATED

• https://nvd.nist.gov/vuln/detail/CVE-2007-6612
• https://lists.apple.com/archives/security-announce/2008//May/msg00001.html
• https://web.archive.org/web/20080111034049/http://rubyforge.org/pipermail/mongrel-users/2007-December/004743.html
• https://web.archive.org/web/20200301091534/http://www.securityfocus.com/bid/27133
• https://github.com/advisories/GHSA-m7r6-43v2-49vf