Description

An Incorrect Access Control vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows a Passenger-managed malicious application, upon spawning a child process, to report an arbitrary different PID back to Passenger's process manager. If the malicious application then generates an error, it would cause Passenger's process manager to kill said reported arbitrary PID.

Remediation

References

CVE-2018-12028

Related Vulnerabilities

WebLogic Deserialization of Untrusted Data Vulnerability (CVE-2020-11620)

TYPO3 Improper Neutralization of HTTP Headers for Scripting Syntax Vulnerability (CVE-2021-41114)

PHP-Fusion Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2012-6043)

MyBB Improper Privilege Management Vulnerability (CVE-2018-1000503)

MySQL Deserialization of Untrusted Data Vulnerability (CVE-2019-14540)

Severity

High

Classification

CVE-2018-12028 CWE-732 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities