CVE-2018-12028 — Incorrect Permission Assignment in Passenger

CWE-732 — Incorrect Permission Assignment CWE-284 — Improper Access Control8 documents7 sources

Severity

7.8HIGHNVD

EPSS

0.2%

top 60.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Phusion Passenger

Timeline

PublishedJun 17

Latest updateMay 13

Description

An Incorrect Access Control vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows a Passenger-managed malicious application, upon spawning a child process, to report an arbitrary different PID back to Passenger's process manager. If the malicious application then generates an error, it would cause Passenger's process manager to kill said reported arbitrary PID.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶NVDphusion/passenger5.3.0 — 5.3.2

▶RubyGemsphusion/passenger5.3.0 — 5.3.2

▶Ubuntuphusion/passenger< 6.0.10-3build1

🔴Vulnerability Details

OSV

Incorrect Access Control in Phusion Passenger↗2022-05-13

▶

GHSA

Incorrect Access Control in Phusion Passenger↗2022-05-13

▶

OSV

CVE-2018-12028: An Incorrect Access Control vulnerability in SpawningKit in Phusion Passenger 5↗2018-06-17

▶

CVEList

CVE-2018-12028: An Incorrect Access Control vulnerability in SpawningKit in Phusion Passenger 5↗2018-06-17

▶

📋Vendor Advisories

Red Hat

passenger: Improper access control in SpawningKit can allow malicious child processes to kill arbitrary processes↗2018-06-05

▶

Debian

CVE-2018-12028: passenger - An Incorrect Access Control vulnerability in SpawningKit in Phusion Passenger 5....↗2018

▶

💬Community

Bugzilla

CVE-2018-12028 passenger: Improper access control in SpawningKit can allow malicious child processes to kill arbitrary processes↗2018-06-19

▶