CVE-2018-12028
First published: Sun Jun 17 2018(Updated: )
An Incorrect Access Control vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows a Passenger-managed malicious application, upon spawning a child process, to report an arbitrary different PID back to Passenger's process manager. If the malicious application then generates an error, it would cause Passenger's process manager to kill said reported arbitrary PID.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Phusion Passenger | >=5.3.0<5.3.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2018-12028?
The severity of CVE-2018-12028 is high.
What software is affected by CVE-2018-12028?
Phusion Passenger versions between 5.3.0 and 5.3.2 are affected by CVE-2018-12028.
How does CVE-2018-12028 work?
CVE-2018-12028 allows a malicious application to report an arbitrary different Process ID (PID) to Passenger's process manager, potentially leading to unauthorized access or privilege escalation.
Are there any known fixes for CVE-2018-12028?
Yes, the vulnerability has been fixed in Phusion Passenger version 5.3.2.
Where can I find more information about CVE-2018-12028?
More information about CVE-2018-12028 can be found at the following links: [https://blog.phusion.nl/passenger-5-3-2](https://blog.phusion.nl/passenger-5-3-2) and [https://security.gentoo.org/glsa/201807-02](https://security.gentoo.org/glsa/201807-02).
- collector/nvd-index
- agent/references
- agent/event
- agent/severity
- agent/weakness
- agent/author
- agent/type
- agent/description
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/phusion
- canonical/phusion passenger
- version/phusion passenger/5.3.0