CVE-2018-12026
CRITICAL9.8EPSS 1.1%Phusion Passenger SpawningKit Contains Arbitrary Read/Write Vulnerability
發布日:2022/5/14修改日:2024/2/20
描述
During the spawning of a malicious Passenger-managed application, SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows such applications to replace key files or directories in the spawning communication directory with symlinks. This then could result in arbitrary reads and writes, which in turn can result in information disclosure and privilege escalation.
受影響套件(1)
- RubyGems/passenger>= 5.3.0, < 5.3.2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
參考連結(7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-12026
- PATCHhttps://github.com/phusion/passenger
- WEBhttps://blog.phusion.nl/2018/06/12/passenger-5-3-2-various-security-fixes
- WEBhttps://blog.phusion.nl/passenger-5-3-2
- WEBhttps://github.com/phusion/passenger/commit/fd3717a3cd357aa0e80e1e81d4dc94a1eaf928f1
- WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2018-12026.yml
- WEBhttps://security.gentoo.org/glsa/201807-02