CVE-2017-16355
See a problem?- Source
- https://nvd.nist.gov/vuln/detail/CVE-2017-16355
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-16355.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2017-16355
- Aliases
- Related
- Published
- 2017-12-14T22:29:00Z
- Modified
- 2024-09-11T04:13:40.774108Z
- Severity
-
- 4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
In agent/Core/SpawningKit/Spawner.h in Phusion Passenger 5.1.10 (fixed in Passenger Open Source 5.1.11 and Passenger Enterprise 5.1.10), if Passenger is running as root, it is possible to list the contents of arbitrary files on a system by symlinking a file named REVISION from the application root folder to a file of choice and querying passenger-status --show=xml.
- References
-
- https://blog.phusion.nl/2017/10/13/passenger-security-advisory-5-1-11/
- https://www.debian.org/security/2019/dsa-4415
- https://seclists.org/bugtraq/2019/Mar/34
- https://github.com/phusion/passenger/commit/4043718264095cde6623c2cbe8c644541036d7bf
- https://security-tracker.debian.org/tracker/CVE-2017-16355
Affected packages
Debian:11 / passenger
Package
- Name
- passenger
- Purl
- pkg:deb/debian/passenger?arch=source
Debian:12 / passenger
Package
- Name
- passenger
- Purl
- pkg:deb/debian/passenger?arch=source
Debian:13 / passenger
Package
- Name
- passenger
- Purl
- pkg:deb/debian/passenger?arch=source
Git / github.com/phusion/passenger
Affected ranges
- Type
- GIT
- Repo
- https://github.com/phusion/passenger
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
release-1.*
release-1.0.0
release-1.0.1
release-1.0.2
release-1.0.3
release-1.0.4
release-1.0.5
release-1.9.0
release-1.9.1
release-2.*
release-2.0.1
release-2.0.2
release-2.1.1
release-2.1.2
release-2.1.3
release-2.2.0
release-2.2.1
release-2.2.10
release-2.2.11
release-2.2.12
release-2.2.13
release-2.2.14
release-2.2.15
release-2.2.2
release-2.2.3
release-2.2.4
release-2.2.5
release-2.2.6
release-2.2.7
release-2.2.8
release-2.2.9
release-3.*
release-3.0.0
release-3.0.0.pre1
release-3.0.0.pre2
release-3.0.0.pre3
release-3.0.0.rc1
release-3.0.1
release-3.0.10
release-3.0.11
release-3.0.12
release-3.0.13
release-3.0.14
release-3.0.15
release-3.0.17
release-3.0.18
release-3.0.2
release-3.0.3
release-3.0.4
release-3.0.5
release-3.0.6
release-3.0.7
release-3.0.8
release-3.0.9
release-3.9.0.beta
release-3.9.1.beta
release-3.9.2.beta
release-3.9.3.rc1
release-3.9.4.rc2
release-3.9.5.rc3
release-4.*
release-4.0.0.rc4
release-4.0.0.rc6
release-4.0.1
release-4.0.10
release-4.0.13
release-4.0.14
release-4.0.16
release-4.0.17
release-4.0.18
release-4.0.19
release-4.0.2
release-4.0.20
release-4.0.21
release-4.0.23
release-4.0.24
release-4.0.25
release-4.0.26
release-4.0.27
release-4.0.28
release-4.0.29
release-4.0.3
release-4.0.30
release-4.0.31
release-4.0.32
release-4.0.33
release-4.0.34
release-4.0.35
release-4.0.36
release-4.0.37
release-4.0.38
release-4.0.39
release-4.0.4
release-4.0.40
release-4.0.41
release-4.0.42
release-4.0.43
release-4.0.44
release-4.0.45
release-4.0.46
release-4.0.48
release-4.0.49
release-4.0.5
release-4.0.50
release-4.0.51
release-4.0.52
release-4.0.53
release-4.0.55
release-4.0.56
release-4.0.57
release-4.0.58
release-4.0.59
release-4.0.6
release-4.0.7
release-4.0.8
release-5.*
release-5.0.0.beta1
release-5.0.0.beta2
release-5.0.0.beta3
release-5.0.0.rc1
release-5.0.0.rc2
release-5.0.1
release-5.0.10
release-5.0.11
release-5.0.13
release-5.0.14
release-5.0.15
release-5.0.16
release-5.0.17
release-5.0.18
release-5.0.19
release-5.0.2
release-5.0.20
release-5.0.21
release-5.0.22
release-5.0.23
release-5.0.24
release-5.0.25
release-5.0.26
release-5.0.27
release-5.0.28
release-5.0.29
release-5.0.3
release-5.0.30
release-5.0.4
release-5.0.5
release-5.0.6
release-5.0.7
release-5.0.8
release-5.0.9
release-5.1.0
release-5.1.1
release-5.1.2
release-5.1.3
release-5.1.4
release-5.1.5
release-5.1.6
release-5.1.7
release-5.1.8