Privilege Escalation

Affecting passenger gem, versions <5.3.2

Do your applications use this vulnerable package? Test your applications

Overview

passenger is a modern web server and application server for Ruby, Python and Node.js, optimized for performance, low memory usage and ease of use.

Affected versions of this package are vulnerable to Privilege Escalation when a non-standard passenger_instance_registry_dir with insufficiently strict permissions is configured.

Remediation

Upgrade passenger to version 5.3.2 or higher.

References

CVSS Score

7.0
high severity
  • Attack Vector
    Local
  • Attack Complexity
    High
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Credit
Unknown
CVE
CVE-2018-12029
CWE
CWE-264
Snyk ID
SNYK-RUBY-PASSENGER-22036
Disclosed
12 Jun, 2018
Published
20 Jun, 2018