Description
A race condition in the nginx module in Phusion Passenger 3.x through 5.x before 5.3.2 allows local escalation of privileges when a non-standard passenger_instance_registry_dir with insufficiently strict permissions is configured. Replacing a file with a symlink after the file was created, but before it was chowned, leads to the target of the link being chowned via the path. Targeting sensitive files such as root's crontab file allows privilege escalation.
References (4)
Core 4
Core References
Mitigation, Vendor Advisory x_refsource_misc
https://blog.phusion.nl/passenger-5-3-2
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201807-02
Third Party Advisory x_refsource_misc
https://pulsesecurity.co.nz/advisories/phusion-passenger-priv-esc
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/06/msg00007.html
Scores
CVSS v3
7.0
EPSS
0.0010
EPSS Percentile
27.0%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-362
Status
published
Products (3)
debian/debian_linux
8.0
phusion/passenger
3.0.0 - 5.3.2
rubygems/passenger
3.0.0 - 5.3.2RubyGems
Published
Jun 17, 2018
Tracked Since
Feb 18, 2026