CVE-2013-4136 rubygem-passenger: insecure temporary directory usage due toreuse of existing server instance directories
Published: June 10, 2013
SECURITY IDENTIFIERS
- CVE: CVE-2013-4136 (NVD)
- GHSA: GHSA-w6rc-q387-vpgq
- OSVDB: OSVDB-94074
GEM
SEVERITY
CVSS v2.0: 4.6 (Medium)
PATCHED VERSIONS
>= 4.0.8
DESCRIPTION
ext/common/ServerInstanceDir.h in Phusion Passenger gem before 4.0.6 for Ruby allows local users to gain privileges or possibly change the ownership of arbitrary directories via a symlink attack on a directory with a predictable name in /tmp/.