VYPR
Vendor

Phusion

Products
3
CVEs
10
Across products
10
Status
Private

Products

3

Recent CVEs

10
  • CVE-2016-10345HigApr 18, 2017
    risk 0.44cvss 7.8epss 0.00

    In Phusion Passenger before 5.1.0, a known /tmp filename was used during passenger-install-nginx-module execution, which could allow local attackers to gain the privileges of the passenger user.

  • CVE-2017-16355MedDec 14, 2017
    risk 0.24cvss 4.7epss 0.00

    In agent/Core/SpawningKit/Spawner.h in Phusion Passenger 5.1.10 (fixed in Passenger Open Source 5.1.11 and Passenger Enterprise 5.1.10), if Passenger is running as root, it is possible to list the contents of arbitrary files on a system by symlinking a file named REVISION from…

  • CVE-2015-7519LowJan 8, 2016
    risk 0.17cvss 3.7epss 0.02

    agent/Core/Controller/SendRequest.cpp in Phusion Passenger before 4.0.60 and 5.0.x before 5.0.22, when used in Apache integration mode or in standalone mode without a filtering proxy, allows remote attackers to spoof headers passed to applications by using an _ (underscore)…

  • CVE-2025-26803Feb 24, 2025
    risk 0.00cvss epss 0.01

    The http parser in Phusion Passenger 6.0.21 through 6.0.25 before 6.0.26 allows a denial of service during parsing of a request with an invalid HTTP method.

  • CVE-2012-6135Nov 19, 2019
    risk 0.00cvss epss 0.02

    RubyGems passenger 4.0.0 betas 1 and 2 allows remote attackers to delete arbitrary files during the startup process.

  • CVE-2014-1832Feb 19, 2015
    risk 0.00cvss epss 0.00

    Phusion Passenger 4.0.37 allows local users to write to certain files and directories via a symlink attack on (1) control_process.pid or a (2) generation-* file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1831.

  • CVE-2014-1831Feb 19, 2015
    risk 0.00cvss epss 0.00

    Phusion Passenger before 4.0.37 allows local users to write to certain files and directories via a symlink attack on (1) control_process.pid or a (2) generation-* file.

  • CVE-2013-7134Apr 29, 2014
    risk 0.00cvss epss 0.02

    Juvia uses the same secret key for all installations, which allows remote attackers to have unspecified impact by leveraging the secret key in app/config/initializers/secret_token.rb, related to cookies.

  • CVE-2013-2119Jan 3, 2014
    risk 0.00cvss epss 0.00

    Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby allows local users to cause a denial of service (prevent application start) or gain privileges by pre-creating a temporary "config" file in a directory with a predictable name in /tmp/ before it is used by the…

  • CVE-2013-4136Sep 30, 2013
    risk 0.00cvss epss 0.00

    ext/common/ServerInstanceDir.h in Phusion Passenger gem before 4.0.6 for Ruby allows local users to gain privileges or possibly change the ownership of arbitrary directories via a symlink attack on a directory with a predictable name in /tmp/.