VYPR
← All advisories
Moderate severityNVD Advisory· Published Jun 21, 2018· Updated Sep 17, 2024

CVE-2018-12615

CVE-2018-12615

Description

An issue was discovered in switchGroup() in agent/ExecHelper/ExecHelperMain.cpp in Phusion Passenger before 5.3.2. The set of groups (gidset) is not set correctly, leaving it up to randomness (i.e., uninitialized memory) which supplementary groups are actually being set while lowering privileges.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Phusion Passenger before 5.3.2 uses uninitialized memory for supplementary groups when lowering privileges, leading to arbitrary group membership.

Vulnerability

The vulnerability resides in the switchGroup() function in agent/ExecHelper/ExecHelperMain.cpp of Phusion Passenger versions before 5.3.2. When the setgroups() system call is invoked, the gidset array is allocated via new gid_t[ngroups] but never initialized with the contents of the groups array. As a result, the supplementary group IDs passed to setgroups() come from uninitialized memory, effectively leaving the group set to random values rather than the intended groups [1][4].

Exploitation

An attacker who can trigger the privilege-lowering code path (for example, by starting a Passenger application process that drops privileges) can cause the process to inherit arbitrary supplementary group memberships determined by uninitialized heap memory. No authentication or special network position is required beyond the ability to execute or influence a Passenger worker process that undergoes group switching [1].

Impact

Successful exploitation can lead to unintended privilege escalation: the affected process may retain or gain supplementary group memberships that should not be present after lowering privileges. This could allow the process to access files, resources, or perform actions that are restricted to those unintended groups, violating the principle of least privilege and potentially leading to information disclosure or local privilege escalation [1][2].

Mitigation

Phusion Passenger 5.3.2 and later fix the issue by properly initializing the gidset array with the contents of groups before calling setgroups() [4]. Users should upgrade to version 5.3.2 or newer. No workaround is available for earlier versions. This CVE is not listed in the Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1][2].

References
  1. NVD - CVE-2018-12615
  2. ruby-advisory-db/gems/passenger/CVE-2018-12615.yml at master · rubysec/ruby-advisory-db
  3. ExecHelperMain: fix privilege lowering code · phusion/passenger@4e97fdb

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
passengerRubyGems
< 5.3.25.3.2

Affected products

1

Patches

1
4e97fdb86d0a

ExecHelperMain: fix privilege lowering code

https://github.com/phusion/passengerHongli Lai (Phusion)May 29, 2018via ghsa
commit
1 file changed · +3 0
  • src/agent/ExecHelper/ExecHelperMain.cpp+3 0 modified
    @@ -201,6 +201,9 @@ switchGroup(uid_t uid, const struct passwd *userInfo, gid_t gid) {
 			if (ngroups <= NGROUPS_MAX) {
 				setgroupsCalled = true;
 				gidset.reset(new gid_t[ngroups]);
+				for (int i = 0; i < ngroups; i++) {
+					gidset[i] = groups[i];
+				}
 				if (setgroups(ngroups, gidset.get()) == -1) {
 					int e = errno;
 					fprintf(stderr, "ERROR: setgroups(%d, ...) failed: %s (errno=%d)\n",

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.