UBUNTU-CVE-2018-12026

Source
https://ubuntu.com/security/CVE-2018-12026
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2018/UBUNTU-CVE-2018-12026.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2018-12026
Related
Published
2018-06-17T20:29:00Z
Modified
2018-06-17T20:29:00Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

During the spawning of a malicious Passenger-managed application, SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows such applications to replace key files or directories in the spawning communication directory with symlinks. This then could result in arbitrary reads and writes, which in turn can result in information disclosure and privilege escalation.

References

Affected packages

Ubuntu:22.04:LTS / passenger

Package

Name
passenger
Purl
pkg:deb/ubuntu/passenger?arch=src?distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.10-3build1

Affected versions

5.*

5.0.30-1.2

6.*

6.0.10-3

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "6.0.10-3build1",
            "binary_name": "libapache2-mod-passenger"
        },
        {
            "binary_version": "6.0.10-3build1",
            "binary_name": "libapache2-mod-passenger-dbgsym"
        },
        {
            "binary_version": "6.0.10-3build1",
            "binary_name": "passenger"
        },
        {
            "binary_version": "6.0.10-3build1",
            "binary_name": "passenger-dbgsym"
        }
    ]
}