CVE-2014-1831 — Insecure Temporary File in Passenger

CWE-377 — Insecure Temporary File10 documents7 sources

Severity

2.1LOWNVD

EPSS

0.1%

top 79.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Phusion Passenger

Timeline

PublishedFeb 19

Latest updateOct 10

Description

Phusion Passenger before 4.0.37 allows local users to write to certain files and directories via a symlink attack on (1) control_process.pid or a (2) generation-* file.

CVSS vector

AV:L/AC:L/C:N/I:P/A:NExploitability: 3.9 | Impact: 2.9

Affected Packages3 packages

▶RubyGemsphusion/passenger< 4.0.38

▶Debianphusion/passenger< 4.0.37-1+3

▶NVDphusion/passenger4.0.36

🔴Vulnerability Details

OSV

Insecure use of temporary files in passenger↗2018-10-10

▶

GHSA

Insecure use of temporary files in passenger↗2018-10-10

▶

GHSA

Insecure use of temporary files in Phusion passenger↗2018-10-10

▶

CVEList

CVE-2014-1831: Phusion Passenger before 4↗2015-02-19

▶

OSV

CVE-2014-1831: Phusion Passenger before 4↗2015-02-19

▶

📋Vendor Advisories

Red Hat

rubygem-passenger: insecure use of temporary files↗2014-01-28

▶

Red Hat

rubygem-passenger: insecure use of temporary files↗2014-01-28

▶

Debian

CVE-2014-1831: passenger - Phusion Passenger before 4.0.37 allows local users to write to certain files and...↗2014

▶

💬Community

Bugzilla

CVE-2014-1831 CVE-2014-1832 rubygem-passenger: insecure use of temporary files↗2014-01-28

▶