Symlink File Overwrite Affecting passenger package, versions < 4.0.37

Snyk CVSS

Attack Complexity Low

Threat Intelligence

EPSS 0.04% (6^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-RUBY-PASSENGER-20142
published 27 Jan 2014
disclosed 27 Jan 2014
credit Unknown

Report a new vulnerability Found a mistake?

Introduced: 27 Jan 2014

CVE-2014-1831 Open this link in a new tab CWE-208 Open this link in a new tab

Overview

passenger is a modern web server and application server for Ruby, Python and Node.js, optimized for performance, low memory usage and ease of use.

Affected versions of this gem create the server instance directory insecurely. An attacker can create a symlink to overwrite an otherwise inaccessible file, possibly inserting content provided by the attacker.

References

http://rubysec.com/advisories/CVE-2014-1831
https://github.com/phusion/passenger/commit/34b1087870c2
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736958