Incorrect Access Control in Phusion Passenger

GHSA-jjhj-8gx7-x836 · CVE-2018-12028

Published May 13, 2022 · Modified Feb 16, 2024

Description

An Incorrect Access Control vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows a Passenger-managed malicious application, upon spawning a child process, to report an arbitrary different PID back to Passenger's process manager. If the malicious application then generates an error, it would cause Passenger's process manager to kill said reported arbitrary PID.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2018-12028
WEB https://github.com/phusion/passenger/commit/1e7c82deb4901c438f583737d8c9f2aac264737c
WEB https://blog.phusion.nl/passenger-5-3-2
PACKAGE https://github.com/phusion/passenger
WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2018-12028.yml
WEB https://security.gentoo.org/glsa/201807-02

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes