RubySec

Providing security resources for the Ruby community

CVE-2014-1832 (passenger): Phusion Passenger Server Instance Directory Creation Local Symlink File Overwrite

ADVISORIES

GEM

passenger

SEVERITY

CVSS v2: 2.1

PATCHED VERSIONS

  • >= 4.0.38

DESCRIPTION

Phusion Passenger contains a flaw as the program creates the server instance directory insecurely. It is possible for a local attacker to use a symlink attack against the directory to cause the program to unexpectedly overwrite an arbitrary file.