CVE-2011-1589

NONE EPSS 88.8%
Published Apr 29, 201115y ago · Modified Jun 16, 20262w ago
Find Similar
Published Apr 29, 2011 15y ago
Last Modified Jun 16, 2026 2w ago

Description

Directory traversal vulnerability in Path.pm in Mojolicious before 1.16 allows remote attackers to read arbitrary files via a %2f..%2f (encoded slash dot dot slash) in a URI.

Threat Intelligence

EPSS Exploit Probability
88.8% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-22 Path Traversal Resource Mgmt

Affected Products 82

VendorProductVersionRange
mojoliciousmojolicious0.2any
mojoliciousmojolicious0.3any
mojoliciousmojolicious0.4any
mojoliciousmojolicious0.5any
mojoliciousmojolicious0.6any
mojoliciousmojolicious0.7any
mojoliciousmojolicious0.8any
mojoliciousmojolicious0.8.1any
mojoliciousmojolicious0.8.2any
mojoliciousmojolicious0.8.3any
mojoliciousmojolicious0.8.4any
mojoliciousmojolicious0.8.5any
mojoliciousmojolicious0.9any
mojoliciousmojolicious0.8006any
mojoliciousmojolicious0.8007any
mojoliciousmojolicious0.8008any
mojoliciousmojolicious0.8009any
mojoliciousmojolicious0.9001any
mojoliciousmojolicious0.9002any
mojoliciousmojolicious0.991231any
mojoliciousmojolicious0.991232any
mojoliciousmojolicious0.991233any
mojoliciousmojolicious0.991234any
mojoliciousmojolicious0.991235any
mojoliciousmojolicious0.991236any
mojoliciousmojolicious0.991237any
mojoliciousmojolicious0.991238any
mojoliciousmojolicious0.991239any
mojoliciousmojolicious0.991240any
mojoliciousmojolicious0.991241any
mojoliciousmojolicious0.991242any
mojoliciousmojolicious0.991243any
mojoliciousmojolicious0.991244any
mojoliciousmojolicious0.991245any
mojoliciousmojolicious0.991246any
mojoliciousmojolicious0.991250any
mojoliciousmojolicious0.991251any
mojoliciousmojolicious0.999901any
mojoliciousmojolicious0.999902any
mojoliciousmojolicious0.999903any
mojoliciousmojolicious0.999904any
mojoliciousmojolicious0.999905any
mojoliciousmojolicious0.999906any
mojoliciousmojolicious0.999907any
mojoliciousmojolicious0.999908any
mojoliciousmojolicious0.999909any
mojoliciousmojolicious0.999910any
mojoliciousmojolicious0.999911any
mojoliciousmojolicious0.999912any
mojoliciousmojolicious0.999913any
mojoliciousmojolicious0.999914any
mojoliciousmojolicious0.999920any
mojoliciousmojolicious0.999921any
mojoliciousmojolicious0.999922any
mojoliciousmojolicious0.999923any
mojoliciousmojolicious0.999924any
mojoliciousmojolicious0.999925any
mojoliciousmojolicious0.999926any
mojoliciousmojolicious0.999927any
mojoliciousmojolicious0.999928any
mojoliciousmojolicious0.999929any
mojoliciousmojolicious0.999930any
mojoliciousmojolicious0.999931any
mojoliciousmojolicious0.999932any
mojoliciousmojolicious0.999933any
mojoliciousmojolicious0.999934any
mojoliciousmojolicious0.999935any
mojoliciousmojolicious0.999936any
mojoliciousmojolicious0.999937any
mojoliciousmojolicious0.999938any
mojoliciousmojolicious0.999939any
mojoliciousmojolicious0.999940any
mojoliciousmojolicious0.999941any
mojoliciousmojolicious0.999950any
mojoliciousmojolicious1.0any
mojoliciousmojolicious1.1any
mojoliciousmojolicious1.01any
mojoliciousmojolicious1.11any
mojoliciousmojolicious1.12any
mojoliciousmojolicious1.13any
mojoliciousmojolicious1.14any
mojoliciousmojolicious1.15any

References 20

  • bugs.debian.org http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=622952
    Exploit
  • cpansearch.perl.org http://cpansearch.perl.org/src/KRAIH/Mojolicious-1.16/Changes
  • lists.fedoraproject.org http://lists.fedoraproject.org/pipermail/package-announce/2011-April/058885.html
  • lists.fedoraproject.org http://lists.fedoraproject.org/pipermail/package-announce/2011-April/058891.html
  • openwall.com http://openwall.com/lists/oss-security/2011/04/17/1
    ExploitPatch
  • openwall.com http://openwall.com/lists/oss-security/2011/04/18/3
    ExploitPatch
  • openwall.com http://openwall.com/lists/oss-security/2011/04/18/7
    Exploit
  • perlninja.posterous.com http://perlninja.posterous.com/sharks-in-the-water
  • search.cpan.org http://search.cpan.org/CPAN/authors/id/K/KR/KRAIH/Mojolicious-1.16.tar.gz
    Patch
  • secunia.com http://secunia.com/advisories/44051
    Vendor Advisory
  • secunia.com http://secunia.com/advisories/44359
  • debian.org http://www.debian.org/security/2011/dsa-2221
  • osvdb.org http://www.osvdb.org/71850
    Exploit
  • securityfocus.com http://www.securityfocus.com/bid/47402
  • vupen.com http://www.vupen.com/english/advisories/2011/1072
  • vupen.com http://www.vupen.com/english/advisories/2011/1093
  • bugzilla.redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=697229
    ExploitPatch
  • exchange.xforce.ibmcloud.com https://exchange.xforce.ibmcloud.com/vulnerabilities/66830
  • github.com https://github.com/kraih/mojo/commit/b09854988c5b5b6a2ba53cc8661c4b2677da3818
    Patch
  • github.com https://github.com/kraih/mojo/issues/114
    Exploit

Remediation

  • openwall.com http://openwall.com/lists/oss-security/2011/04/17/1
    ExploitPatch
  • openwall.com http://openwall.com/lists/oss-security/2011/04/18/3
    ExploitPatch
  • search.cpan.org http://search.cpan.org/CPAN/authors/id/K/KR/KRAIH/Mojolicious-1.16.tar.gz
    Patch
  • bugzilla.redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=697229
    ExploitPatch
  • github.com https://github.com/kraih/mojo/commit/b09854988c5b5b6a2ba53cc8661c4b2677da3818
    Patch