Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
passenger vulnerabilities and exploits
(subscribe to this query)
7.5
CVSSv2
CVE-2018-12026
During the spawning of a malicious Passenger-managed application, SpawningKit in Phusion Passenger 5.3.x prior to 5.3.2 allows such applications to replace key files or directories in the spawning communication directory with symlinks. This then could result in arbitrary reads an...
Phusion Passenger
6.9
CVSSv2
CVE-2008-1570
Race condition in the create_lockpath function in policyd-weight 0.1.14 beta-16 allows local users to modify or delete arbitrary files by creating the LOCKPATH directory, then modifying it after the symbolic link check occurs. NOTE: this is due to an incomplete fix for CVE-2008-1...
Policyd-weight Policyd-weight 0.1.14 Beta-14
6.8
CVSSv2
CVE-2018-12028
An Incorrect Access Control vulnerability in SpawningKit in Phusion Passenger 5.3.x prior to 5.3.2 allows a Passenger-managed malicious application, upon spawning a child process, to report an arbitrary different PID back to Passenger's process manager. If the malicious appl...
Phusion Passenger
6.5
CVSSv2
CVE-2018-12027
An Insecure Permissions vulnerability in SpawningKit in Phusion Passenger 5.3.x prior to 5.3.2 causes information disclosure in the following situation: given a Passenger-spawned application process that reports that it listens on a certain Unix domain socket, if any of the paren...
Phusion Passenger
6.4
CVSSv2
CVE-2012-6135
RubyGems passenger 4.0.0 betas 1 and 2 allows remote malicious users to delete arbitrary files during the startup process.
Phusion Passenger 4.0.0
Redhat Openshift 1.0
5
CVSSv2
CVE-2018-12615
An issue exists in switchGroup() in agent/ExecHelper/ExecHelperMain.cpp in Phusion Passenger prior to 5.3.2. The set of groups (gidset) is not set correctly, leaving it up to randomness (i.e., uninitialized memory) which supplementary groups are actually being set while lowering ...
Phusion Passenger
5
CVSSv2
CVE-2013-4961
Puppet Enterprise prior to 3.0.1 includes version information for the Apache and Phusion Passenger products in its HTTP response headers, which allows remote malicious users to obtain sensitive information.
Puppet Puppet Enterprise
Puppet Puppet Enterprise 2.8.3
Puppet Puppet Enterprise 2.5.1
Puppet Puppet Enterprise 2.8.2
Puppet Puppet Enterprise 2.8.0
Puppet Puppet Enterprise 2.8.1
Puppet Puppet Enterprise 2.5.2
4.6
CVSSv2
CVE-2016-10345
In Phusion Passenger prior to 5.1.0, a known /tmp filename was used during passenger-install-nginx-module execution, which could allow local malicious users to gain the privileges of the passenger user.
Phusion Passenger
4.4
CVSSv2
CVE-2018-12029
A race condition in the nginx module in Phusion Passenger 3.x up to and including 5.x prior to 5.3.2 allows local escalation of privileges when a non-standard passenger_instance_registry_dir with insufficiently strict permissions is configured. Replacing a file with a symlink aft...
Phusion Passenger
Debian Debian Linux 8.0
4.4
CVSSv2
CVE-2013-4136
ext/common/ServerInstanceDir.h in Phusion Passenger gem prior to 4.0.6 for Ruby allows local users to gain privileges or possibly change the ownership of arbitrary directories via a symlink attack on a directory with a predictable name in /tmp/.
Phusion Passenger 4.0.2
Phusion Passenger
Phusion Passenger 4.0.4
Phusion Passenger 4.0.3
Phusion Passenger 4.0.1
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
authentication bypass
CVE-2024-30043
camera
CVE-2023-40404
CVE-2024-2793
client side
CVE-2024-4469
CVE-2024-3565
CVE-2024-29825
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
NEXT »