Medium severity4.7NVD Advisory· Published Dec 14, 2017· Updated Jun 17, 2026
CVE-2017-16355
CVE-2017-16355
Description
In agent/Core/SpawningKit/Spawner.h in Phusion Passenger 5.1.10 (fixed in Passenger Open Source 5.1.11 and Passenger Enterprise 5.1.10), if Passenger is running as root, it is possible to list the contents of arbitrary files on a system by symlinking a file named REVISION from the application root folder to a file of choice and querying passenger-status --show=xml.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
passengerRubyGems | < 5.1.11 | 5.1.11 |
Affected products
5- ghsa-coords2 versionspkg:gem/passengerpkg:rpm/suse/rubygem-passenger&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2012
< 5.1.11+ 1 more
- (no CPE)range: < 5.1.11
- (no CPE)range: < 5.0.18-12.5.1
Patches
Vulnerability mechanics
References
8- github.com/phusion/passenger/commit/4043718264095cde6623c2cbe8c644541036d7bfnvdPatchThird Party AdvisoryWEB
- blog.phusion.nl/2017/10/13/passenger-security-advisory-5-1-11/nvdThird Party Advisory
- github.com/advisories/GHSA-cv3f-px9r-54hmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-16355ghsaADVISORY
- seclists.org/bugtraq/2019/Mar/34nvdIssue TrackingMailing ListThird Party AdvisoryWEB
- www.debian.org/security/2019/dsa-4415nvdThird Party AdvisoryWEB
- blog.phusion.nl/2017/10/13/passenger-security-advisory-5-1-11ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2017-16355.ymlghsaWEB
News mentions
0No linked articles in our index yet.