Privilege Escalation

Affecting passenger gem, versions <5.3.2

high severity

Overview

passenger is a modern web server and application server for Ruby, Python and Node.js, optimized for performance, low memory usage and ease of use.

Affected versions of this package are vulnerable to Privilege Escalation when a non-standard passenger_instance_registry_dir with insufficiently strict permissions is configured.

Remediation

Upgrade passenger to version 5.3.2 or higher.

References

Do your applications use this vulnerable package?

Credit
Unknown
CVE
CVE-2018-12029
CWE
CWE-264
Snyk ID
SNYK-RUBY-PASSENGER-22036
Disclosed
12 Jun, 2018
Published
20 Jun, 2018