CVE-2017-16355

In agent/Core/SpawningKit/Spawner.h in Phusion Passenger 5.1.10 (fixed in Passenger Open Source 5.1.11 and Passenger Enterprise 5.1.10), if Passenger is running as root, it is possible to list the contents of arbitrary files on a system by symlinking a file named REVISION from the application root folder to a file of choice and querying passenger-status --show=xml.

CVSS v3 4.7 MEDIUM
CVSS v2.0 1.2 LOW

4.7^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.0 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

1.2^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:H/Au:N/C:P/I:N/A:N

Exploitability : 1.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity HIGH

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://blog.phusion.nl/2017/10/13/passenger-security-advisory-5-1-11/	Third Party Advisory
https://github.com/phusion/passenger/commit/4043718264095cde6623c2cbe8c644541036d7bf	Patch Third Party Advisory
https://seclists.org/bugtraq/2019/Mar/34	Issue Tracking Mailing List Third Party Advisory
https://www.debian.org/security/2019/dsa-4415	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:phusion:passenger:::::enterprise:::*
	cpe:2.3:a:phusion:passenger:::::open_source:::*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2017-12-14 22:29

Updated : 2024-02-04 19:29

NVD link : CVE-2017-16355

Mitre link : CVE-2017-16355

CVE.ORG link : CVE-2017-16355

JSON object : View

Products Affected

phusion

passenger

debian

debian_linux

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2017-16355", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 1.2, "accessVector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "HIGH", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 1.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.0}]}, "published": "2017-12-14T22:29:00.210", "references": [{"url": "https://blog.phusion.nl/2017/10/13/passenger-security-advisory-5-1-11/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/phusion/passenger/commit/4043718264095cde6623c2cbe8c644541036d7bf", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://seclists.org/bugtraq/2019/Mar/34", "tags": ["Issue Tracking", "Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.debian.org/security/2019/dsa-4415", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "In agent/Core/SpawningKit/Spawner.h in Phusion Passenger 5.1.10 (fixed in Passenger Open Source 5.1.11 and Passenger Enterprise 5.1.10), if Passenger is running as root, it is possible to list the contents of arbitrary files on a system by symlinking a file named REVISION from the application root folder to a file of choice and querying passenger-status --show=xml."}, {"lang": "es", "value": "En agent/Core/SpawningKit/Spawner.h en Phusion Passenger 5.1.10 (corregido en Passenger Open Source 5.1.11 y Passenger Enterprise 5.1.10), si Passenger se est\u00e1 ejecutando como root, es posible listar el contenido de archivos arbitrarios en un sistema vinculando simb\u00f3licamente un archivo llamado REVISION de la carpeta root de la aplicaci\u00f3n a un archivo de libre elecci\u00f3n y consultando passenger-status --show=xml."}], "lastModified": "2019-10-28T15:31:55.957", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:phusion:passenger:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "7E734B94-2D51-47B0-9AEF-E736969D2E82", "versionEndExcluding": "5.1.10", "versionStartIncluding": "5.0.10"}, {"criteria": "cpe:2.3:a:phusion:passenger:*:*:*:*:open_source:*:*:*", "vulnerable": true, "matchCriteriaId": "285B15FA-D517-437D-8C69-D7C6CBAB9468", "versionEndExcluding": "5.1.11", "versionStartIncluding": "5.0.10"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}