passenger 2.0.3

9 security vulnerabilities found in version 2.0.3

Predictable tmp File Path Vulnerability in Phusion Passenger

high severity CVE-2016-10345
high severity CVE-2016-10345
Patched versions: >= 5.1.0

In Phusion Passenger before 5.1.0, a known /tmp filename was used during passenger-install-nginx-module execution, which could allow local attackers to gain the privileges of the passenger user.

RubyGems passenger gem allows remote attackers to delete files

high severity CVE-2012-6135
high severity CVE-2012-6135
Affected versions: < 4.0.0.rc4

RubyGems passenger 4.0.0 betas 1 and 2 allows remote attackers to delete arbitrary files during the startup process.

Affects both open source and Enterprise versions (4.0.0.beta1, 4.0.0.beta2).

Phusion Passenger incorrect permission assignment

medium severity CVE-2018-12615
medium severity CVE-2018-12615
Patched versions: >= 5.3.2

An issue was discovered in switchGroup() in agent/ExecHelper/ExecHelperMain.cpp in Phusion Passenger before 5.3.2. The set of groups (gidset) is not set correctly, leaving it up to randomness (i.e., uninitialized memory) which supplementary groups are actually being set while lowering privileges.

Phusion Passenger information disclosure

medium severity CVE-2017-16355
medium severity CVE-2017-16355
Patched versions: >= 5.1.11

In agent/Core/SpawningKit/Spawner.h in Phusion Passenger 5.1.10 (fixed in Passenger Open Source 5.1.11 and Passenger Enterprise 5.1.10), if Passenger is running as root, it is possible to list the contents of arbitrary files on a system by symlinking a file named REVISION from the application root folder to a file of choice and querying passenger-status --show=xml.

Phusion Passenger Server allows to overwrite headers in some cases

medium severity CVE-2015-7519
medium severity CVE-2015-7519
Patched versions: ~> 4.0.60, >= 5.0.22

It is possible in some cases, for clients to overwrite headers set by the server, resulting in a medium level security issue. Passenger 5 uses an SCGI-inspired format to pass headers to Ruby/Python applications, while Passenger 4 uses an SCGI-inspired format to pass headers to all applications. This implies a conversion to UPPER_CASE_WITH_UNDERSCORES whereby the difference between characters like '-' and '_' is lost.

CVE-2013-4136 rubygem-passenger: insecure temporary directory usage due toreuse of existing server instance directories

medium severity CVE-2013-4136
medium severity CVE-2013-4136
Patched versions: >= 4.0.8

ext/common/ServerInstanceDir.h in Phusion Passenger gem before 4.0.6 for Ruby allows local users to gain privileges or possibly change the ownership of arbitrary directories via a symlink attack on a directory with a predictable name in /tmp/.

CVE-2013-2119 rubygem-passenger: incorrect temporary file usage

medium severity CVE-2013-2119
medium severity CVE-2013-2119
Patched versions: ~> 3.0.21, >= 4.0.5

Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby allows local users to cause a denial of service (prevent application start) or gain privileges by pre-creating a temporary "config" file in a directory with a predictable name in /tmp/ before it is used by the gem.

CVE-2014-1831 CVE-2014-1832 rubygem-passenger: insecure use of temporary files

low severity CVE-2014-1832
low severity CVE-2014-1832
Patched versions: >= 4.0.38

'Phusion Passenger 4.0.37 allows local users to write to certain files and directories via a symlink attack on (1) control_process.pid or a (2) generation-* file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1831.'

CVE-2014-1831 CVE-2014-1832 rubygem-passenger: insecure use of temporary files

low severity CVE-2014-1831
low severity CVE-2014-1831
Patched versions: >= 4.0.37

Phusion Passenger before 4.0.37 allows local users to write to certain files and directories via a symlink attack on (1) control_process.pid or a (2) generation-* file.

No officially reported memory leakage issues detected.


This gem version does not have any officially reported memory leaked issues.

Gem version without a license.


Unless a license that specifies otherwise is included, nobody can use, copy, distribute, or modify this library without being at risk of take-downs, shake-downs, or litigation.

This gem version is available.


This gem version has not been yanked and is still available for usage.