Mongrel vulnerable to directory traversal via double-encoded sequences
Published: May 01, 2022
SECURITY IDENTIFIERS
- CVE: CVE-2007-6612 (NVD)
- GHSA: GHSA-m7r6-43v2-49vf
GEM
SEVERITY
CVSS v2.0: 6.4 (Medium)
UNAFFECTED VERSIONS
< 1.0.4
PATCHED VERSIONS
~> 1.0.5
>= 1.1.3
DESCRIPTION
Directory traversal vulnerability in DirHandler (lib/mongrel/handlers.rb)
in Mongrel 1.0.4 (1.0.3 and prior are not affected) and 1.1.x before
1.1.3 allows remote attackers to read arbitrary files via an HTTP
request containing double-encoded sequences (.%252e).
RELATED
- https://nvd.nist.gov/vuln/detail/CVE-2007-6612
- https://lists.apple.com/archives/security-announce/2008//May/msg00001.html
- https://web.archive.org/web/20080111034049/http://rubyforge.org/pipermail/mongrel-users/2007-December/004743.html
- https://web.archive.org/web/20200301091534/http://www.securityfocus.com/bid/27133
- https://github.com/advisories/GHSA-m7r6-43v2-49vf