Vulnerability CVE-2018-12026
Published: 2018-06-17

Description:
During the spawning of a malicious Passenger-managed application, SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows such applications to replace key files or directories in the spawning communication directory with symlinks. This then could result in arbitrary reads and writes, which in turn can result in information disclosure and privilege escalation.

Type:

CWE-59

 (Improper Link Resolution Before File Access ('Link Following'))

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Phusion -> Passenger 

 References:
https://blog.phusion.nl/passenger-5-3-2
https://security.gentoo.org/glsa/201807-02
Copyright 2024, cxsecurity.com

 

Back to Top