CVE-2014-1832 — Insecure Temporary File in Passenger

CWE-377 — Insecure Temporary File7 documents7 sources

Severity

2.1LOWNVD

EPSS

0.1%

top 79.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Phusion Passenger

Timeline

PublishedFeb 19

Latest updateOct 10

Description

Phusion Passenger 4.0.37 allows local users to write to certain files and directories via a symlink attack on (1) control_process.pid or a (2) generation-* file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1831.

CVSS vector

AV:L/AC:L/C:N/I:P/A:NExploitability: 3.9 | Impact: 2.9

Affected Packages2 packages

▶RubyGemsphusion/passenger4.0.37 — 4.0.38

▶NVDphusion/passenger4.0.36

🔴Vulnerability Details

GHSA

Insecure use of temporary files in Phusion passenger↗2018-10-10

▶

OSV

Insecure use of temporary files in Phusion passenger↗2018-10-10

▶

CVEList

CVE-2014-1832: Phusion Passenger 4↗2015-02-19

▶

📋Vendor Advisories

Red Hat

rubygem-passenger: insecure use of temporary files↗2014-01-28

▶

Debian

CVE-2014-1832: passenger - Phusion Passenger 4.0.37 allows local users to write to certain files and direct...↗2014

▶

💬Community

Bugzilla

CVE-2014-1831 CVE-2014-1832 rubygem-passenger: insecure use of temporary files↗2014-01-28

▶