CVE-2018-12029

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2018-12029
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-12029.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2018-12029
Aliases
Downstream
Related
Published
2018-06-17T20:29:00.493Z
Modified
2026-04-10T04:04:41.457763Z
Severity
  • 7.0 (High) CVSS_V3 - CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A race condition in the nginx module in Phusion Passenger 3.x through 5.x before 5.3.2 allows local escalation of privileges when a non-standard passengerinstanceregistry_dir with insufficiently strict permissions is configured. Replacing a file with a symlink after the file was created, but before it was chowned, leads to the target of the link being chowned via the path. Targeting sensitive files such as root's crontab file allows privilege escalation.

References

Affected packages

Git / github.com/phusion/passenger

Affected ranges

Type
GIT
Repo
https://github.com/phusion/passenger
Events
Introduced
2f225ddbc2161a1766c9cb326e5a661ae3848bd6
Fixed
5e4d60575fadfd68913bd229990cb9f3feb393a9
Database specific 
{
    "versions": [
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "5.3.2"
        }
    ]
}

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-12029.json"
unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "8.0"
            }
        ]
    }
]