Passenger
by Phusion
Source repositories
CVEs (6)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2016-10345 | Hig | 0.44 | 7.8 | 0.00 | Apr 18, 2017 | In Phusion Passenger before 5.1.0, a known /tmp filename was used during passenger-install-nginx-module execution, which could allow local attackers to gain the privileges of the passenger user. | |
| CVE-2025-26803 | 0.00 | — | 0.00 | Feb 24, 2025 | The http parser in Phusion Passenger 6.0.21 through 6.0.25 before 6.0.26 allows a denial of service during parsing of a request with an invalid HTTP method. | ||
| CVE-2014-1832 | 0.00 | — | 0.00 | Feb 19, 2015 | Phusion Passenger 4.0.37 allows local users to write to certain files and directories via a symlink attack on (1) control_process.pid or a (2) generation-* file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1831. | ||
| CVE-2014-1831 | 0.00 | — | 0.00 | Feb 19, 2015 | Phusion Passenger before 4.0.37 allows local users to write to certain files and directories via a symlink attack on (1) control_process.pid or a (2) generation-* file. | ||
| CVE-2013-2119 | 0.00 | — | 0.00 | Jan 3, 2014 | Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby allows local users to cause a denial of service (prevent application start) or gain privileges by pre-creating a temporary "config" file in a directory with a predictable name in /tmp/ before it is used by the gem. | ||
| CVE-2013-4136 | 0.00 | — | 0.00 | Sep 30, 2013 | ext/common/ServerInstanceDir.h in Phusion Passenger gem before 4.0.6 for Ruby allows local users to gain privileges or possibly change the ownership of arbitrary directories via a symlink attack on a directory with a predictable name in /tmp/. |
- risk 0.44cvss 7.8epss 0.00
In Phusion Passenger before 5.1.0, a known /tmp filename was used during passenger-install-nginx-module execution, which could allow local attackers to gain the privileges of the passenger user.
- CVE-2025-26803Feb 24, 2025risk 0.00cvss —epss 0.00
The http parser in Phusion Passenger 6.0.21 through 6.0.25 before 6.0.26 allows a denial of service during parsing of a request with an invalid HTTP method.
- CVE-2014-1832Feb 19, 2015risk 0.00cvss —epss 0.00
Phusion Passenger 4.0.37 allows local users to write to certain files and directories via a symlink attack on (1) control_process.pid or a (2) generation-* file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1831.
- CVE-2014-1831Feb 19, 2015risk 0.00cvss —epss 0.00
Phusion Passenger before 4.0.37 allows local users to write to certain files and directories via a symlink attack on (1) control_process.pid or a (2) generation-* file.
- CVE-2013-2119Jan 3, 2014risk 0.00cvss —epss 0.00
Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby allows local users to cause a denial of service (prevent application start) or gain privileges by pre-creating a temporary "config" file in a directory with a predictable name in /tmp/ before it is used by the gem.
- CVE-2013-4136Sep 30, 2013risk 0.00cvss —epss 0.00
ext/common/ServerInstanceDir.h in Phusion Passenger gem before 4.0.6 for Ruby allows local users to gain privileges or possibly change the ownership of arbitrary directories via a symlink attack on a directory with a predictable name in /tmp/.