RubySec

Providing security resources for the Ruby community

CVE-2013-4136 (passenger): Phusion Passenger Gem for Ruby Utils.cpp Temporary Directory Creation Symlink Local Privilege Escalation

ADVISORIES

GEM

passenger

SEVERITY

CVSS v2: 4.6

PATCHED VERSIONS

  • >= 4.0.8

DESCRIPTION

Phusion Passenger Gem for Ruby contains a flaw as the program creates temporary directories insecurely. It is possible for a local attacker to use a symlink attack against the Utils.cpp file to allow the attacker to gain elevated privileges.