CVE-2017-16355
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2017-16355
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-16355.json
- Aliases
- Related
- Published
- 2017-12-14T22:29:00Z
- Modified
- 2023-11-29T06:09:11.116790Z
- Details
-
In agent/Core/SpawningKit/Spawner.h in Phusion Passenger 5.1.10 (fixed in Passenger Open Source 5.1.11 and Passenger Enterprise 5.1.10), if Passenger is running as root, it is possible to list the contents of arbitrary files on a system by symlinking a file named REVISION from the application root folder to a file of choice and querying passenger-status --show=xml.
- References
Affected packages
Git / github.com/phusion/passenger
Affected versions
release-5.*
release-5.0.10
release-5.0.11
release-5.0.13
release-5.0.14
release-5.0.15
release-5.0.16
release-5.0.17
release-5.0.18
release-5.0.19
release-5.0.20
release-5.0.21
release-5.0.22
release-5.0.23
release-5.0.24
release-5.0.25
release-5.0.26
release-5.0.27
release-5.0.28
release-5.0.29
release-5.0.30
release-5.1.0
release-5.1.1
release-5.1.2
release-5.1.3
release-5.1.4
release-5.1.5
release-5.1.6
release-5.1.7
release-5.1.8