Skip to main content

Passenger CVE-2013-4136

MEDIUM
Improper Link Resolution Before File Access (CWE-59)
2013-09-30 secalert@redhat.com
4.4
CVSS 2.0 · NVD
Share

Severity by source

NVD PRIMARY
4.4 MEDIUM
AV:L/AC:M/Au:N/C:P/I:P/A:P

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

AV:L/AC:M/Au:N/C:P/I:P/A:P
Attack Vector
Local
Attack Complexity
M
Confidentiality
P
Integrity
P
Availability
P

Lifecycle Timeline

1
CVE Published
Sep 30, 2013 - 21:55 cve.org
MEDIUM 4.4

DescriptionCVE.org

ext/common/ServerInstanceDir.h in Phusion Passenger gem before 4.0.6 for Ruby allows local users to gain privileges or possibly change the ownership of arbitrary directories via a symlink attack on a directory with a predictable name in /tmp/.

AnalysisAI

ext/common/ServerInstanceDir.h in Phusion Passenger gem before 4.0.6 for Ruby allows local users to gain privileges or possibly change the ownership of arbitrary directories via a symlink attack on a. Rated medium severity (CVSS 4.4).

Technical ContextAI

This vulnerability is classified under CWE-59. ext/common/ServerInstanceDir.h in Phusion Passenger gem before 4.0.6 for Ruby allows local users to gain privileges or possibly change the ownership of arbitrary directories via a symlink attack on a directory with a predictable name in /tmp/. Affected products include: Phusion Passenger. Version information: before 4.0.6.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2018-12026 CRITICAL
9.8 Jun 17

During the spawning of a malicious Passenger-managed application, SpawningKit in Phusion Passenger 5.3.x before 5.3.2 al

CVE-2018-12027 HIGH
8.8 Jun 17

An Insecure Permissions vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 causes information disclosu

CVE-2016-10345 HIGH
7.8 Apr 18

In Phusion Passenger before 5.1.0, a known /tmp filename was used during passenger-install-nginx-module execution, which

CVE-2018-12028 HIGH
7.8 Jun 17

An Incorrect Access Control vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows a Passenger-mana

CVE-2018-12029 HIGH
7.0 Jun 17

A race condition in the nginx module in Phusion Passenger 3.x through 5.x before 5.3.2 allows local escalation of privil

CVE-2025-26803 MEDIUM
5.3 Feb 24

The http parser in Phusion Passenger 6.0.21 through 6.0.25 before 6.0.26 allows a denial of service during parsing of a

CVE-2018-12615 MEDIUM
5.3 Jun 21

An issue was discovered in switchGroup() in agent/ExecHelper/ExecHelperMain.cpp in Phusion Passenger before 5.3.2. Rated

CVE-2017-16355 MEDIUM
4.7 Dec 14

In agent/Core/SpawningKit/Spawner.h in Phusion Passenger 5.1.10 (fixed in Passenger Open Source 5.1.11 and Passenger Ent

CVE-2013-2119 MEDIUM
4.6 Jan 03

Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby allows local users to cause a denial of service (pre

CVE-2014-1832 LOW
2.1 Feb 19

Phusion Passenger 4.0.37 allows local users to write to certain files and directories via a symlink attack on (1) contro

CVE-2014-1831 LOW
2.1 Feb 19

Phusion Passenger before 4.0.37 allows local users to write to certain files and directories via a symlink attack on (1)

Share

CVE-2013-4136 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy