Description

During the spawning of a malicious Passenger-managed application, SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows such applications to replace key files or directories in the spawning communication directory with symlinks. This then could result in arbitrary reads and writes, which in turn can result in information disclosure and privilege escalation.

Remediation

References

CVE-2018-12026

Related Vulnerabilities

Drupal Core 9.1.x Directory Traversal (9.1.0 - 9.1.10)

WordPress Plugin Zoho CRM Lead Magnet Cross-Site Scripting (1.6.9.1)

PHP Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2018-10545)

Moodle Weak Password Recovery Mechanism for Forgotten Password Vulnerability (CVE-2016-7038)

Roundcube Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2021-26925)

Severity

Critical

Classification

CVE-2018-12026 CWE-59 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities