CVE-2018-12026
First published: Sun Jun 17 2018(Updated: )
During the spawning of a malicious Passenger-managed application, SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows such applications to replace key files or directories in the spawning communication directory with symlinks. This then could result in arbitrary reads and writes, which in turn can result in information disclosure and privilege escalation.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Phusion Passenger | >=5.3.0<5.3.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2018-12026?
CVE-2018-12026 is a vulnerability in Phusion Passenger 5.3.x before 5.3.2 that allows a malicious application to replace key files or directories with symlinks, resulting in arbitrary reads and writes.
What is the severity of CVE-2018-12026?
CVE-2018-12026 has a severity rating of 9.8 (critical).
Which software is affected by CVE-2018-12026?
Phusion Passenger versions 5.3.0 to 5.3.1 are affected by CVE-2018-12026.
How can the CVE-2018-12026 vulnerability be fixed?
To fix the CVE-2018-12026 vulnerability, upgrade Phusion Passenger to version 5.3.2 or later.
Where can I find more information about CVE-2018-12026?
You can find more information about CVE-2018-12026 at the following references: [Phusion Passenger Blog](https://blog.phusion.nl/passenger-5-3-2), [Gentoo Security Advisory](https://security.gentoo.org/glsa/201807-02).
- collector/nvd-index
- agent/weakness
- agent/severity
- agent/references
- agent/author
- agent/tags
- agent/type
- agent/event
- agent/description
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- vendor/phusion
- canonical/phusion passenger
- version/phusion passenger/5.3.0