passenger 5.0.7

5 security vulnerabilities found in version 5.0.7

CHMOD race vulnerability

high severity CVE-2018-12029
high severity CVE-2018-12029
Patched versions: >= 5.3.2
Unaffected versions: < 3.0.0

The file system access race condition allows for local privilege escalation and affects the Nginx module for Passenger versions 5.3.1, all the way back to 3.0.0 (the chown command entered the code in 2010).

The vulnerability was exploitable only when running a non-standard passenger_instance_registry_dir, via a race condition where after a file was created, there was a window in which it could be replaced with a symlink before it was chowned via the path and not the file descriptor.

If the symlink target was to a file which would be executed by root such as root's crontab file, then privilege escalation was possible.

Predictable tmp File Path Vulnerability in Phusion Passenger

high severity CVE-2016-10345
high severity CVE-2016-10345
Patched versions: >= 5.1.0

In Phusion Passenger before 5.1.0, a known /tmp filename was used during passenger-install-nginx-module execution, which could allow local attackers to gain the privileges of the passenger user.

Phusion Passenger incorrect permission assignment

medium severity CVE-2018-12615
medium severity CVE-2018-12615
Patched versions: >= 5.3.2

An issue was discovered in switchGroup() in agent/ExecHelper/ExecHelperMain.cpp in Phusion Passenger before 5.3.2. The set of groups (gidset) is not set correctly, leaving it up to randomness (i.e., uninitialized memory) which supplementary groups are actually being set while lowering privileges.

Phusion Passenger information disclosure

medium severity CVE-2017-16355
medium severity CVE-2017-16355
Patched versions: >= 5.1.11

In agent/Core/SpawningKit/Spawner.h in Phusion Passenger 5.1.10 (fixed in Passenger Open Source 5.1.11 and Passenger Enterprise 5.1.10), if Passenger is running as root, it is possible to list the contents of arbitrary files on a system by symlinking a file named REVISION from the application root folder to a file of choice and querying passenger-status --show=xml.

Phusion Passenger Server allows to overwrite headers in some cases

medium severity CVE-2015-7519
medium severity CVE-2015-7519
Patched versions: ~> 4.0.60, >= 5.0.22

It is possible in some cases, for clients to overwrite headers set by the server, resulting in a medium level security issue. Passenger 5 uses an SCGI-inspired format to pass headers to Ruby/Python applications, while Passenger 4 uses an SCGI-inspired format to pass headers to all applications. This implies a conversion to UPPER_CASE_WITH_UNDERSCORES whereby the difference between characters like '-' and '_' is lost.

No officially reported memory leakage issues detected.


This gem version does not have any officially reported memory leaked issues.

Author did not declare license for this gem in the gemspec.


This gem version has a MIT license in the source code, however it was not declared in the gemspec file.

This gem version is available.


This gem version has not been yanked and is still available for usage.