What is the severity of CVE-2018-12027?

The severity of CVE-2018-12027 is high with a CVSS score of 8.8.

How does CVE-2018-12027 cause information disclosure?

CVE-2018-12027 causes information disclosure when a Passenger-spawned application process reports that it listens on a certain Unix domain socket, and any parent directories of the socket have insecure permissions.

Which versions of Phusion Passenger are affected by CVE-2018-12027?

Phusion Passenger versions 5.3.0 to 5.3.2 are affected by CVE-2018-12027.

How can I fix CVE-2018-12027?

To fix CVE-2018-12027, you should update Phusion Passenger to version 5.3.2 or later.

Vulnerability/
CVE-2018-12027

high

8.8

CWE

200 732

17/6/2018

5/8/2024

CVE-2018-12027: Infoleak

Q: What is CVE-2018-12027?

CVE-2018-12027 is an Insecure Permissions vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2.

First published: Sun Jun 17 2018(Updated: )

An Insecure Permissions vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 causes information disclosure in the following situation: given a Passenger-spawned application process that reports that it listens on a certain Unix domain socket, if any of the parent directories of said socket are writable by a normal user that is not the application's user, then that non-application user can swap that directory with something else, resulting in traffic being redirected to a non-application user's process through an alternative Unix domain socket.

Credit: cve@mitre.org

Affected Software	Affected Version	How to fix
Phusion Passenger	>=5.3.0<5.3.2

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2018-12027?
CVE-2018-12027 is an Insecure Permissions vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2.
What is the severity of CVE-2018-12027?
The severity of CVE-2018-12027 is high with a CVSS score of 8.8.
How does CVE-2018-12027 cause information disclosure?
CVE-2018-12027 causes information disclosure when a Passenger-spawned application process reports that it listens on a certain Unix domain socket, and any parent directories of the socket have insecure permissions.
Which versions of Phusion Passenger are affected by CVE-2018-12027?
Phusion Passenger versions 5.3.0 to 5.3.2 are affected by CVE-2018-12027.
How can I fix CVE-2018-12027?
To fix CVE-2018-12027, you should update Phusion Passenger to version 5.3.2 or later.

collector/nvd-index
agent/references
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/severity
agent/weakness
agent/last-modified-date
agent/author
agent/description
agent/first-publish-date
agent/event
agent/tags
vendor/phusion
canonical/phusion passenger
version/phusion passenger/5.3.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.