CVE-2018-12027

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2018-12027

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-12027.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2018-12027

Aliases

GHSA-whfx-877c-5p28

Related

UBUNTU-CVE-2018-12027

Published

2018-06-17T20:29:00Z

Modified

2024-09-03T02:03:58.737085Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

An Insecure Permissions vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 causes information disclosure in the following situation: given a Passenger-spawned application process that reports that it listens on a certain Unix domain socket, if any of the parent directories of said socket are writable by a normal user that is not the application's user, then that non-application user can swap that directory with something else, resulting in traffic being redirected to a non-application user's process through an alternative Unix domain socket.

References

Affected packages

Git / github.com/phusion/passenger

Affected ranges

Type: GIT
Repo: https://github.com/phusion/passenger
Events: Introduced

a53aa1fb31489cd27c5c34f059ed2c90ddca012b

Fixed

5e4d60575fadfd68913bd229990cb9f3feb393a9

Affected versions

release-5.*

release-5.3.0

release-5.3.1