PT-2018-11291 · Phusion · Phusion Passenger

Published

2018-06-21

Updated

2022-05-13

CVE-2018-12615

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Phusion Passenger versions prior to 5.3.2

Description An issue was discovered in the switchGroup() function, specifically in the agent/ExecHelper/ExecHelperMain.cpp file. The set of groups, referred to as gidset, is not set correctly, resulting in randomness due to uninitialized memory. This randomness determines which supplementary groups are actually being set while lowering privileges.

Recommendations For versions prior to 5.3.2, update to version 5.3.2 or later to resolve the issue.

Exploit

Fix

Incorrect Permission

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-732

Related Identifiers

CVE-2018-12615

GHSA-4284-JFHC-F854

Affected Products

Phusion Passenger

PT-2018-11291 · Phusion · Phusion Passenger

CVE-2018-12615

Weakness Enumeration

Related Identifiers

Affected Products

References · 7