Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
1.2
CVSSv2

CVE-2017-16355

Published: 14/12/2017 Updated: 28/10/2019
CVSS v2 Base Score: 1.2 | Impact Score: 2.9 | Exploitability Score: 1.9
CVSS v3 Base Score: 4.7 | Impact Score: 3.6 | Exploitability Score: 1
VMScore: 107
Vector: AV:L/AC:H/Au:N/C:P/I:N/A:N
Subscribe to Passenger

Vulnerability Summary

In agent/Core/SpawningKit/Spawner.h in Phusion Passenger 5.1.10 (fixed in Passenger Open Source 5.1.11 and Passenger Enterprise 5.1.10), if Passenger is running as root, it is possible to list the contents of arbitrary files on a system by symlinking a file named REVISION from the application root folder to a file of choice and querying passenger-status --show=xml.

Vulnerable Product Search on Vulmon Subscribe to Product

phusion passenger

debian debian linux 9.0

Vendor Advisories

Debian CVElist Bug Report Logs: CVE-2018-12029
Debian Bug report logs - #921767 CVE-2018-12029 Package: src:passenger; Maintainer for src:passenger is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Reported by: Moritz Muehlenhoff <jmm@debianorg> Date: Fri, 8 Feb 2019 21:51:20 UTC Severity: minor Tags: patch, security, upst ...
Debian CVElist Bug Report Logs: passenger: CVE-2017-16355: arbitrary file read
Debian Bug report logs - #884463 passenger: CVE-2017-16355: arbitrary file read Package: src:passenger; Maintainer for src:passenger is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 15 Dec 2017 15:21:02 UTC Severi ...
Debian Security Advisories: DSA-4415-1 passenger -- security update
An arbitrary file read vulnerability was discovered in passenger, a web application server A local user allowed to deploy an application to passenger, can take advantage of this flaw by creating a symlink from the REVISION file to an arbitrary file on the system and have its content displayed through passenger-status For the stable distribution ( ...
Red Hat: CVE-2017-16355
In agent/Core/SpawningKit/Spawnerh in Phusion Passenger 5110 (fixed in Passenger Open Source 5111 and Passenger Enterprise 5110), if Passenger is running as root, it is possible to list the contents of arbitrary files on a system by symlinking a file named REVISION from the application root folder to a file of choice and querying passenger-s ...

References

CWE-200https://github.com/phusion/passenger/commit/4043718264095cde6623c2cbe8c644541036d7bfhttps://blog.phusion.nl/2017/10/13/passenger-security-advisory-5-1-11/https://www.debian.org/security/2019/dsa-4415https://seclists.org/bugtraq/2019/Mar/34https://nvd.nist.govhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921767https://www.debian.org/security/2019/dsa-4415https://access.redhat.com/security/cve/cve-2017-16355
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2006-4304CVE-2024-4240arbitrary CVE-2024-31601XSSCVE-2023-20198CVE-2024-4256CVE-2024-3342encryption
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook