Vulnerability Description
During the spawning of a malicious Passenger-managed application, SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows such applications to replace key files or directories in the spawning communication directory with symlinks. This then could result in arbitrary reads and writes, which in turn can result in information disclosure and privilege escalation.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Phusion | Passenger | >= 5.3.0, < 5.3.2 |
Related Weaknesses (CWE)
References
- https://blog.phusion.nl/passenger-5-3-2MitigationVendor Advisory
- https://security.gentoo.org/glsa/201807-02Third Party Advisory
- https://blog.phusion.nl/passenger-5-3-2MitigationVendor Advisory
- https://security.gentoo.org/glsa/201807-02Third Party Advisory
FAQ
What is CVE-2018-12026?
CVE-2018-12026 is a vulnerability with a CVSS score of 9.8 (CRITICAL). During the spawning of a malicious Passenger-managed application, SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows such applications to replace key files or directories in the spawning commu...
How severe is CVE-2018-12026?
CVE-2018-12026 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2018-12026?
Check the references section above for vendor advisories and patch information. Affected products include: Phusion Passenger.