CVE-2018-12026

Source
https://nvd.nist.gov/vuln/detail/CVE-2018-12026
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-12026.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2018-12026
Aliases
Related
Published
2018-06-17T20:29:00Z
Modified
2024-09-03T02:03:58.181744Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

During the spawning of a malicious Passenger-managed application, SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows such applications to replace key files or directories in the spawning communication directory with symlinks. This then could result in arbitrary reads and writes, which in turn can result in information disclosure and privilege escalation.

References

Affected packages

Git / github.com/phusion/passenger

Affected ranges

Type
GIT
Repo
https://github.com/phusion/passenger
Events

Affected versions

release-5.*

release-5.3.0
release-5.3.1