CVE-2018-12615
- Source
- https://cve.org/CVERecord?id=CVE-2018-12615
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-12615.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2018-12615
- Aliases
- Published
- 2018-06-21T15:29:00.367Z
- Modified
- 2026-04-11T06:58:46.143205Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
An issue was discovered in switchGroup() in agent/ExecHelper/ExecHelperMain.cpp in Phusion Passenger before 5.3.2. The set of groups (gidset) is not set correctly, leaving it up to randomness (i.e., uninitialized memory) which supplementary groups are actually being set while lowering privileges.
- References
Affected packages
Git / github.com/phusion/passenger
Affected versions
release-1.*
release-1.0.0
release-1.0.1
release-1.0.2
release-1.0.3
release-1.9.0
release-1.9.1
release-2.*
release-2.0.1
release-2.2.0
release-2.2.1
release-2.2.10
release-2.2.11
release-2.2.12
release-2.2.13
release-2.2.14
release-2.2.15
release-2.2.2
release-2.2.3
release-2.2.4
release-2.2.5
release-2.2.6
release-2.2.7
release-2.2.8
release-2.2.9
release-3.*
release-3.9.0.beta
release-3.9.1.beta
release-3.9.2.beta
release-3.9.3.rc1
release-3.9.4.rc2
release-3.9.5.rc3
release-4.*
release-4.0.0.rc4
release-4.0.0.rc6
release-4.0.1
release-4.0.10
release-4.0.13
release-4.0.14
release-4.0.16
release-4.0.17
release-4.0.18
release-4.0.19
release-4.0.2
release-4.0.20
release-4.0.21
release-4.0.23
release-4.0.24
release-4.0.25
release-4.0.26
release-4.0.27
release-4.0.28
release-4.0.29
release-4.0.3
release-4.0.31
release-4.0.32
release-4.0.33
release-4.0.34
release-4.0.35
release-4.0.36
release-4.0.37
release-4.0.38
release-4.0.39
release-4.0.4
release-4.0.40
release-4.0.41
release-4.0.42
release-4.0.43
release-4.0.44
release-4.0.45
release-4.0.46
release-4.0.48
release-4.0.49
release-4.0.5
release-4.0.50
release-4.0.6
release-4.0.7
release-4.0.8
release-5.*
release-5.0.0.beta1
release-5.0.0.beta2
release-5.0.0.beta3
release-5.0.0.rc1
release-5.0.0.rc2
release-5.0.1
release-5.0.10
release-5.0.11
release-5.0.13
release-5.0.14
release-5.0.15
release-5.0.16
release-5.0.17
release-5.0.18
release-5.0.2
release-5.0.22
release-5.0.23
release-5.0.24
release-5.0.25
release-5.0.26
release-5.0.27
release-5.0.28
release-5.0.29
release-5.0.30
release-5.1.0
release-5.1.11
release-5.1.12
release-5.1.7
release-5.1.8
release-5.2.0
release-5.2.1
release-5.2.2
release-5.2.3
release-5.3.0
release-5.3.1
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-12615.json"
vanir_signatures_modified
"2026-04-11T06:58:46Z"
vanir_signatures
[
{
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/phusion/passenger/commit/4e97fdb86d0a0141ec9a052c6e691fcd07bb45c8",
"digest": {
"function_hash": "332130151477633070032125895755766442709",
"length": 1347.0
},
"id": "CVE-2018-12615-3dfcd8a8",
"deprecated": false,
"target": {
"file": "src/agent/ExecHelper/ExecHelperMain.cpp",
"function": "switchGroup"
}
},
{
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/phusion/passenger/commit/4e97fdb86d0a0141ec9a052c6e691fcd07bb45c8",
"digest": {
"threshold": 0.9,
"line_hashes": [
"163473880165651654278746379856817350480",
"174032986143341143608655394535215179810",
"11542372103114541864585356586578787903",
"166580049995338455327982947978315360953"
]
},
"id": "CVE-2018-12615-9620d7cb",
"deprecated": false,
"target": {
"file": "src/agent/ExecHelper/ExecHelperMain.cpp"
}
}
]