CVE-2018-12615 — MEDIUM (5.3)

Q: How severe is CVE-2018-12615?

CVE-2018-12615 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-12615?

Check the references section above for vendor advisories and patch information. Affected products include: Phusion Passenger.

Vulnerability Description

An issue was discovered in switchGroup() in agent/ExecHelper/ExecHelperMain.cpp in Phusion Passenger before 5.3.2. The set of groups (gidset) is not set correctly, leaving it up to randomness (i.e., uninitialized memory) which supplementary groups are actually being set while lowering privileges.

CVSS Score

5.3

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Phusion	Passenger	< 5.3.2

Related Weaknesses (CWE)

CWE-732

References

https://github.com/phusion/passenger/commit/4e97fdb86d0a0141ec9a052c6e691fcd07bbPatchThird Party Advisory
https://github.com/phusion/passenger/commit/4e97fdb86d0a0141ec9a052c6e691fcd07bbPatchThird Party Advisory

FAQ

What is CVE-2018-12615?

CVE-2018-12615 is a vulnerability with a CVSS score of 5.3 (MEDIUM). An issue was discovered in switchGroup() in agent/ExecHelper/ExecHelperMain.cpp in Phusion Passenger before 5.3.2. The set of groups (gidset) is not set correctly, leaving it up to randomness (i.e., u...

How severe is CVE-2018-12615?

CVE-2018-12615 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-12615?

Check the references section above for vendor advisories and patch information. Affected products include: Phusion Passenger.