CVE-2013-2119
Phusion Passenger < 3.0.21 and 4.0.x < 4.0.5 - Denial of Service and Privilege Escalation via Temporary Config File
Title source: llmDescription
Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby allows local users to cause a denial of service (prevent application start) or gain privileges by pre-creating a temporary "config" file in a directory with a predictable name in /tmp/ before it is used by the gem.
References (4)
Core 4
Core References
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=892813
Third Party Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-1136.html
Patch, Vendor Advisory x_refsource_confirm
http://blog.phusion.nl/2013/05/29/phusion-passenger-3-0-21-released/
Patch, Vendor Advisory x_refsource_confirm
http://blog.phusion.nl/2013/05/29/phusion-passenger-4-0-5-released/
Scores
EPSS
0.0006
EPSS Percentile
17.4%
Details
CWE
CWE-264
Status
published
Products (26)
phusion/passenger
3.0.0
phusion/passenger
3.0.1
phusion/passenger
3.0.2
phusion/passenger
3.0.3
phusion/passenger
3.0.4
phusion/passenger
3.0.5
phusion/passenger
3.0.6
phusion/passenger
3.0.7
phusion/passenger
3.0.8
phusion/passenger
3.0.9
... and 16 more
Published
Jan 03, 2014
Tracked Since
Feb 18, 2026