CVSS v3: 7.0
CVSS v2: 4.4
- < 3.0.0
- >= 5.3.2
The file system access race condition allows for local privilege escalation and affects the Nginx module for Passenger versions 5.3.1, all the way back to 3.0.0 (the chown command entered the code in 2010).
The vulnerability was exploitable only when running a non-standard
passenger_instance_registry_dir, via a race condition where after a file was created, there was a window in which it could be replaced with a symlink before it was chowned via the path and not the file descriptor.
If the symlink target was to a file which would be executed by root such as root’s crontab file, then privilege escalation was possible.