Описание
A race condition in the nginx module in Phusion Passenger 3.x through 5.x before 5.3.2 allows local escalation of privileges when a non-standard passenger_instance_registry_dir with insufficiently strict permissions is configured. Replacing a file with a symlink after the file was created, but before it was chowned, leads to the target of the link being chowned via the path. Targeting sensitive files such as root's crontab file allows privilege escalation.
| Релиз | Статус | Примечание |
|---|---|---|
| artful | ignored | end of life |
| bionic | released | 5.0.30-1+deb9u1build0.18.04.1 |
| cosmic | released | 5.0.30-1+deb9u1build0.18.10.1 |
| devel | not-affected | 5.0.30-1.1 |
| disco | released | 5.0.30-1+deb9u1build0.19.04.1 |
| eoan | not-affected | 5.0.30-1.1 |
| esm-apps/bionic | released | 5.0.30-1+deb9u1build0.18.04.1 |
| esm-apps/focal | not-affected | 5.0.30-1.1 |
| esm-apps/jammy | not-affected | 5.0.30-1.1 |
| esm-apps/xenial | released | 5.0.27-2ubuntu0.1~esm1 |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| artful | DNE | |
| bionic | DNE | |
| cosmic | DNE | |
| devel | DNE | |
| disco | DNE | |
| eoan | DNE | |
| esm-infra-legacy/trusty | DNE | trusty/esm was DNE [trusty was needs-triage] |
| esm-infra/focal | DNE | |
| focal | DNE | |
| groovy | DNE |
Показывать по
EPSS
4.4 Medium
CVSS2
7 High
CVSS3
Связанные уязвимости
A race condition in the nginx module in Phusion Passenger 3.x through 5.x before 5.3.2 allows local escalation of privileges when a non-standard passenger_instance_registry_dir with insufficiently strict permissions is configured. Replacing a file with a symlink after the file was created, but before it was chowned, leads to the target of the link being chowned via the path. Targeting sensitive files such as root's crontab file allows privilege escalation.
A race condition in the nginx module in Phusion Passenger 3.x through 5.x before 5.3.2 allows local escalation of privileges when a non-standard passenger_instance_registry_dir with insufficiently strict permissions is configured. Replacing a file with a symlink after the file was created, but before it was chowned, leads to the target of the link being chowned via the path. Targeting sensitive files such as root's crontab file allows privilege escalation.
A race condition in the nginx module in Phusion Passenger 3.x through ...
Phusion Passenger Race Condition Allows Privilege Escalation
EPSS
4.4 Medium
CVSS2
7 High
CVSS3