CVE-2017-16355
Description
In agent/Core/SpawningKit/Spawner.h in Phusion Passenger 5.1.10 (fixed in Passenger Open Source 5.1.11 and Passenger Enterprise 5.1.10), if Passenger is running as root, it is possible to list the contents of arbitrary files on a system by symlinking a file named REVISION from the application root folder to a file of choice and querying passenger-status --show=xml.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Local users with deploy permissions can read arbitrary files via symlink attack in Phusion Passenger when running as root.
Vulnerability
In agent/Core/SpawningKit/Spawner.h in Phusion Passenger 5.1.10 (Open Source) and prior Enterprise versions, if Passenger runs as root, an attacker can symlink the REVISION file from the application root to an arbitrary file. This is available in versions prior to Passenger Open Source 5.1.11 and Passenger Enterprise 5.1.10 [1][2].
Exploitation
An attacker must be a local user allowed to deploy an application to Passenger and have write access to the application root folder. By creating a symlink named REVISION pointing to a target file, and then running passenger-status --show=xml, the contents of the target file are disclosed [1][2].
Impact
Successful exploitation allows the attacker to read the contents of any file on the system that the Passenger process (running as root) can access, leading to information disclosure [1].
Mitigation
Upgrade to Passenger Open Source 5.1.11 or Passenger Enterprise 5.1.10. Debian stretch users should upgrade to version 5.0.30-1+deb9u1 [2]. No workaround is provided. Ensure Passenger is not run as root if possible.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
passengerRubyGems | < 5.1.11 | 5.1.11 |
Affected products
2- ghsa-coords2 versionspkg:gem/passengerpkg:rpm/suse/rubygem-passenger&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2012
< 5.1.11+ 1 more
- (no CPE)range: < 5.1.11
- (no CPE)range: < 5.0.18-12.5.1
Patches
1404371826409Disable unused feature.
1 file changed · +2 −1
src/agent/Core/SpawningKit/Spawner.h+2 −1 modified@@ -721,7 +721,6 @@ class Spawner { prepareChroot(info, options); info.userSwitching = prepareUserSwitching(options); prepareSwitchingWorkingDirectory(info, options); - inferApplicationInfo(info); return info; } @@ -775,6 +774,7 @@ class Spawner { assert(info.appRootPathsInsideChroot.back() == info.appRootInsideChroot); } +#ifdef false void inferApplicationInfo(SpawnPreparationInfo &info) const { info.codeRevision = readFromRevisionFile(info); if (info.codeRevision.empty()) { @@ -817,6 +817,7 @@ class Spawner { return string(); } } +#endif bool shouldLoadShellEnvvars(const Options &options, const SpawnPreparationInfo &preparation) const { if (options.loadShellEnvvars) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/phusion/passenger/commit/4043718264095cde6623c2cbe8c644541036d7bfnvdPatchThird Party AdvisoryWEB
- blog.phusion.nl/2017/10/13/passenger-security-advisory-5-1-11/nvdThird Party Advisory
- github.com/advisories/GHSA-cv3f-px9r-54hmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-16355ghsaADVISORY
- seclists.org/bugtraq/2019/Mar/34nvdIssue TrackingMailing ListThird Party AdvisoryWEB
- www.debian.org/security/2019/dsa-4415nvdThird Party AdvisoryWEB
- blog.phusion.nl/2017/10/13/passenger-security-advisory-5-1-11ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2017-16355.ymlghsaWEB
News mentions
0No linked articles in our index yet.