Main Vulnerability Database Vulnerabilities #VU13991

Improper access control in Phusion Passenger - CVE-2018-12028

Published: July 24, 2018

Vulnerability identifier: #VU13991

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-12028

CWE-ID: CWE-284

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Phusion B.V.

Affected software:
Phusion Passenger

Detailed vulnerability description

The vulnerability allows a local attacker to bypass security restrictions.

The vulnerability exists due to improper access control in the SpawningKit subsystem of the affected software. A local attacker can use Passenger-managed malicious application, upon spawning a child process, to report an arbitrary different PID back to Passenger's process manager. If the malicious application then generates an error, it would cause Passenger's process manager to kill said reported arbitrary PID.

How to mitigate CVE-2018-12028

Update to version 5.3.2.

Sources

https://blog.phusion.nl/2018/06/12/passenger-5-3-2-various-security-fixes/

Improper access control in Phusion Passenger - CVE-2018-12028

Detailed vulnerability description

How to mitigate CVE-2018-12028

Sources

Please verify you're human