Red Hat Bugzilla – Bug 427663
CVE-2007-6612 mongrel: "DirHandler" Directory Traversal Vulnerability
Last modified: 2008-01-15 09:46:12 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-6612 to the following vulnerability:
Directory traversal vulnerability in DirHandler (lib/mongrel/handlers.rb) in Mongrel 1.0.4 and 1.1.x before 1.1.3 allows remote attackers to read arbitrary files via an HTTP request containing double-encoded sequences (".%252e").
As this bug was introduced in 1.0.4 (1.0.3 and earlier are not susceptible), the
current fedora package (which is at 1.0.1) is not vulnerable. I will upgrade the
packages to 1.0.5 or 1.1.3 when I get the chance, though,
Thanks Scott for clarification. As versions shipped in Fedora are not affected
by this issue, we will not be tracking this as security issue and I'm closing
If you decide to update to newer version in Fedora, please submit such update as
enhancement, unless some other (future) security issue will be addressed there.