Skip to content

insecure temporary directory usage in passenger

Moderate severity GitHub Reviewed Published Oct 24, 2017 to the GitHub Advisory Database • Updated Jun 9, 2023

Package

bundler passenger (RubyGems)

Affected versions

< 4.0.6

Patched versions

4.0.6

Description

ext/common/ServerInstanceDir.h in Phusion Passenger gem before 4.0.6 for Ruby allows local users to gain privileges or possibly change the ownership of arbitrary directories via a symlink attack on a directory with a predictable name in /tmp/.

References

Published to the GitHub Advisory Database Oct 24, 2017
Reviewed Jun 16, 2020
Last updated Jun 9, 2023

Severity

Moderate

Weaknesses

CVE ID

CVE-2013-4136

GHSA ID

GHSA-w6rc-q387-vpgq

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.