GHSA-cv3f-px9r-54hm
Suggest an improvement- Source
- https://github.com/advisories/GHSA-cv3f-px9r-54hm
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-cv3f-px9r-54hm/GHSA-cv3f-px9r-54hm.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-cv3f-px9r-54hm
- Aliases
- Published
- 2022-05-13T01:30:59Z
- Modified
- 2024-02-20T05:33:33.855438Z
- Severity
-
- 4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Phusion Passenger information disclosure
- Details
-
In agent/Core/SpawningKit/Spawner.h in Phusion Passenger 5.1.10 (fixed in Passenger Open Source 5.1.11 and Passenger Enterprise 5.1.10), if Passenger is running as root, it is possible to list the contents of arbitrary files on a system by symlinking a file named REVISION from the application root folder to a file of choice and querying passenger-status --show=xml.
- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2017-16355
- https://github.com/phusion/passenger/commit/4043718264095cde6623c2cbe8c644541036d7bf
- https://blog.phusion.nl/2017/10/13/passenger-security-advisory-5-1-11
- https://github.com/phusion/passenger
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2017-16355.yml
- https://seclists.org/bugtraq/2019/Mar/34
- https://www.debian.org/security/2019/dsa-4415
Affected packages
RubyGems / passenger
Package
- Name
- passenger
- Purl
- pkg:gem/passenger
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.1.11
Affected versions
1.*
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
2.*
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.1.2
2.1.3
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2.10
2.2.11
2.2.12
2.2.13
2.2.14
2.2.15
3.*
3.0.0.pre1
3.0.0.pre2
3.0.0.pre3
3.0.0.pre4
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.0.10
3.0.11
3.0.12
3.0.13
3.0.14
3.0.15
3.0.17
3.0.18
3.0.19
3.0.21
3.9.1.beta
3.9.2.beta
4.*
4.0.0.rc4
4.0.0.rc6
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.0.7
4.0.8
4.0.10
4.0.13
4.0.14
4.0.16
4.0.17
4.0.18
4.0.19
4.0.20
4.0.21
4.0.23
4.0.24
4.0.25
4.0.26
4.0.27
4.0.28
4.0.29
4.0.30
4.0.31
4.0.32
4.0.33
4.0.34
4.0.35
4.0.36
4.0.37
4.0.38
4.0.39
4.0.40
4.0.41
4.0.42
4.0.43
4.0.44
4.0.45
4.0.46
4.0.48
4.0.49
4.0.50
4.0.51
4.0.52
4.0.53
4.0.55
4.0.56
4.0.57
4.0.58
4.0.59
4.0.60
5.*
5.0.0.beta1
5.0.0.beta2
5.0.0.beta3
5.0.0.rc1
5.0.0.rc2
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8
5.0.9
5.0.10
5.0.11
5.0.13
5.0.14
5.0.15
5.0.16
5.0.17
5.0.18
5.0.19
5.0.20
5.0.21
5.0.22
5.0.23
5.0.24
5.0.25
5.0.26
5.0.27
5.0.28
5.0.29
5.0.30
5.1.0
5.1.1
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.1.7
5.1.8
5.1.9
5.1.10