CVE-2018-12615 – passenger

Package

Manager: gem
Name: passenger
Vulnerable Version: >=0 <5.3.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00198 pctl0.42043

Details

Phusion Passenger incorrect permission assignment An issue was discovered in switchGroup() in agent/ExecHelper/ExecHelperMain.cpp in Phusion Passenger before 5.3.2. The set of groups (gidset) is not set correctly, leaving it up to randomness (i.e., uninitialized memory) which supplementary groups are actually being set while lowering privileges.

Metadata

Created: 2022-05-13T01:49:37Z
Modified: 2022-06-17T21:28:23Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4284-jfhc-f854/GHSA-4284-jfhc-f854.json
CWE IDs: ["CWE-732"]
Alternative ID: GHSA-4284-jfhc-f854
Finding: F039
Auto approve: 1