Vulnerability Description
A race condition in the nginx module in Phusion Passenger 3.x through 5.x before 5.3.2 allows local escalation of privileges when a non-standard passenger_instance_registry_dir with insufficiently strict permissions is configured. Replacing a file with a symlink after the file was created, but before it was chowned, leads to the target of the link being chowned via the path. Targeting sensitive files such as root's crontab file allows privilege escalation.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Phusion | Passenger | >= 3.0.0, < 5.3.2 |
| Debian | Debian Linux | 8.0 |
Related Weaknesses (CWE)
References
- https://blog.phusion.nl/passenger-5-3-2MitigationVendor Advisory
- https://lists.debian.org/debian-lts-announce/2018/06/msg00007.htmlMailing ListThird Party Advisory
- https://pulsesecurity.co.nz/advisories/phusion-passenger-priv-escThird Party Advisory
- https://security.gentoo.org/glsa/201807-02Third Party Advisory
- https://blog.phusion.nl/passenger-5-3-2MitigationVendor Advisory
- https://lists.debian.org/debian-lts-announce/2018/06/msg00007.htmlMailing ListThird Party Advisory
- https://pulsesecurity.co.nz/advisories/phusion-passenger-priv-escThird Party Advisory
- https://security.gentoo.org/glsa/201807-02Third Party Advisory
FAQ
What is CVE-2018-12029?
CVE-2018-12029 is a vulnerability with a CVSS score of 7.0 (HIGH). A race condition in the nginx module in Phusion Passenger 3.x through 5.x before 5.3.2 allows local escalation of privileges when a non-standard passenger_instance_registry_dir with insufficiently str...
How severe is CVE-2018-12029?
CVE-2018-12029 has been rated HIGH with a CVSS base score of 7.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-12029?
Check the references section above for vendor advisories and patch information. Affected products include: Phusion Passenger, Debian Debian Linux.