CVE-2013-4136

Name of the Vulnerable Software and Affected Versions Phusion Passenger gem versions prior to 4.0.6

Description The issue allows local users to gain privileges or possibly change the ownership of arbitrary directories via a symlink attack on a directory with a predictable name in /tmp/. This is due to a vulnerability in the ext/common/ServerInstanceDir.h file.

Recommendations For Phusion Passenger gem versions prior to 4.0.6, update to version 4.0.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the /tmp/ directory to minimize the risk of exploitation.