VYPR

Passenger

by Phusion

gem: passenger

Source repositories

CVEs (8)

  • CVE-2016-10345HigApr 18, 2017
    risk 0.44cvss 7.8epss 0.00

    In Phusion Passenger before 5.1.0, a known /tmp filename was used during passenger-install-nginx-module execution, which could allow local attackers to gain the privileges of the passenger user.

  • CVE-2017-16355MedDec 14, 2017
    risk 0.24cvss 4.7epss 0.00

    In agent/Core/SpawningKit/Spawner.h in Phusion Passenger 5.1.10 (fixed in Passenger Open Source 5.1.11 and Passenger Enterprise 5.1.10), if Passenger is running as root, it is possible to list the contents of arbitrary files on a system by symlinking a file named REVISION from…

  • CVE-2015-7519LowJan 8, 2016
    risk 0.17cvss 3.7epss 0.02

    agent/Core/Controller/SendRequest.cpp in Phusion Passenger before 4.0.60 and 5.0.x before 5.0.22, when used in Apache integration mode or in standalone mode without a filtering proxy, allows remote attackers to spoof headers passed to applications by using an _ (underscore)…

  • CVE-2025-26803Feb 24, 2025
    risk 0.00cvss epss 0.01

    The http parser in Phusion Passenger 6.0.21 through 6.0.25 before 6.0.26 allows a denial of service during parsing of a request with an invalid HTTP method.

  • CVE-2014-1832Feb 19, 2015
    risk 0.00cvss epss 0.00

    Phusion Passenger 4.0.37 allows local users to write to certain files and directories via a symlink attack on (1) control_process.pid or a (2) generation-* file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1831.

  • CVE-2014-1831Feb 19, 2015
    risk 0.00cvss epss 0.00

    Phusion Passenger before 4.0.37 allows local users to write to certain files and directories via a symlink attack on (1) control_process.pid or a (2) generation-* file.

  • CVE-2013-2119Jan 3, 2014
    risk 0.00cvss epss 0.00

    Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby allows local users to cause a denial of service (prevent application start) or gain privileges by pre-creating a temporary "config" file in a directory with a predictable name in /tmp/ before it is used by the…

  • CVE-2013-4136Sep 30, 2013
    risk 0.00cvss epss 0.00

    ext/common/ServerInstanceDir.h in Phusion Passenger gem before 4.0.6 for Ruby allows local users to gain privileges or possibly change the ownership of arbitrary directories via a symlink attack on a directory with a predictable name in /tmp/.