Description
An issue was discovered in switchGroup() in agent/ExecHelper/ExecHelperMain.cpp in Phusion Passenger before 5.3.2. The set of groups (gidset) is not set correctly, leaving it up to randomness (i.e., uninitialized memory) which supplementary groups are actually being set while lowering privileges.
Remediation
References
Related Vulnerabilities
Ruby Improper Input Validation Vulnerability (CVE-2015-1855)
WordPress Plugin Booking Calendar Cross-Site Request Forgery (9.2.1)
WordPress Plugin Relevanssi-A Better Search Cross-Site Scripting (3.5.7.1)
MediaWiki Credentials Management Errors Vulnerability (CVE-2015-8626)
WordPress Plugin WordPress Automatic 'q' Parameter SQL Injection (2.0.3)