passenger 5.3.1

5 security vulnerabilities found in version 5.3.1

SpawningKit exploits

critical severity CVE-2018-12026
critical severity CVE-2018-12026
Patched versions: >= 5.3.2
Unaffected versions: < 5.3.0

During the spawning of a malicious Passenger-managed application, SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows such applications to replace key files or directories in the spawning communication directory with symlinks. This then could result in arbitrary reads and writes, which in turn can result in information disclosure and privilege escalation.

CHMOD race vulnerability

high severity CVE-2018-12029
high severity CVE-2018-12029
Patched versions: >= 5.3.2
Unaffected versions: < 3.0.0

The file system access race condition allows for local privilege escalation and affects the Nginx module for Passenger versions 5.3.1, all the way back to 3.0.0 (the chown command entered the code in 2010).

The vulnerability was exploitable only when running a non-standard passenger_instance_registry_dir, via a race condition where after a file was created, there was a window in which it could be replaced with a symlink before it was chowned via the path and not the file descriptor.

If the symlink target was to a file which would be executed by root such as root's crontab file, then privilege escalation was possible.

Incorrect Access Control in Phusion Passenger

high severity CVE-2018-12028
high severity CVE-2018-12028
Patched versions: >= 5.3.2
Unaffected versions: < 5.3.0

An Incorrect Access Control vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows a Passenger-managed malicious application, upon spawning a child process, to report an arbitrary different PID back to Passenger's process manager. If the malicious application then generates an error, it would cause Passenger's process manager to kill said reported arbitrary PID.

Insecure Permissions in Phusion Passenger

high severity CVE-2018-12027
high severity CVE-2018-12027
Patched versions: >= 5.3.2
Unaffected versions: < 5.3.0

"An Insecure Permissions vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 causes information disclosure in the following situation: given a Passenger-spawned application process that reports that it listens on a certain Unix domain socket, if any of the parent directories of said socket are writable by a normal user that is not the application''s user, then that non-application user can swap that directory with something else, resulting in traffic being redirected to a non-application user''s process through an alternative Unix domain socket."

Phusion Passenger incorrect permission assignment

medium severity CVE-2018-12615
medium severity CVE-2018-12615
Patched versions: >= 5.3.2

An issue was discovered in switchGroup() in agent/ExecHelper/ExecHelperMain.cpp in Phusion Passenger before 5.3.2. The set of groups (gidset) is not set correctly, leaving it up to randomness (i.e., uninitialized memory) which supplementary groups are actually being set while lowering privileges.

No officially reported memory leakage issues detected.


This gem version does not have any officially reported memory leaked issues.

Author did not declare license for this gem in the gemspec.


This gem version has a MIT license in the source code, however it was not declared in the gemspec file.

This gem version is available.


This gem version has not been yanked and is still available for usage.