CVE-2018-12029

Name of the Vulnerable Software and Affected Versions Phusion Passenger versions 3.x through 5.x before 5.3.2

Description The issue is related to a race condition in the nginx module of Phusion Passenger, which can be exploited when a non-standard passenger instance registry dir with insufficiently strict permissions is configured. This can allow a remote attacker to access sensitive data or a local attacker to escalate privileges by replacing a file with a symlink after the file was created but before it was chowned, potentially targeting sensitive files.

Recommendations For Phusion Passenger versions 3.x through 5.x before 5.3.2, update to version 5.3.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the passenger instance registry dir to minimize the risk of exploitation.