CVE-2018-12615

MEDIUM5.3EPSS 0.20%

Phusion Passenger incorrect permission assignment

Published: 5/13/2022Modified: 11/8/2023

Description

An issue was discovered in switchGroup() in agent/ExecHelper/ExecHelperMain.cpp in Phusion Passenger before 5.3.2. The set of groups (gidset) is not set correctly, leaving it up to randomness (i.e., uninitialized memory) which supplementary groups are actually being set while lowering privileges.

Affected packages (1)

RubyGems/passengerfrom 0, < 5.3.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-12615
PATCHhttps://github.com/phusion/passenger
WEBhttps://github.com/phusion/passenger/commit/4e97fdb86d0a0141ec9a052c6e691fcd07bb45c8
WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2018-12615.yml