Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2014-1832
Vulnerability from gsd - Updated: 2014-01-29 00:00Details
Phusion Passenger 4.0.37 allows local users to write to certain files and directories via a symlink attack on (1) control_process.pid or a (2) generation-* file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1831.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2014-1832",
"description": "Phusion Passenger 4.0.37 allows local users to write to certain files and directories via a symlink attack on (1) control_process.pid or a (2) generation-* file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1831.",
"id": "GSD-2014-1832",
"references": [
"https://www.suse.com/security/cve/CVE-2014-1832.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "passenger",
"purl": "pkg:gem/passenger"
}
}
],
"aliases": [
"CVE-2014-1832",
"OSVDB-102613"
],
"details": "Phusion Passenger 4.0.37 allows local users to write to certain files and directories via a symlink attack on (1) control_process.pid or a (2) generation-* file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1831.",
"id": "GSD-2014-1832",
"modified": "2014-01-29T00:00:00.000Z",
"published": "2014-01-29T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-1832"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 2.1,
"type": "CVSS_V2"
}
],
"summary": "CVE-2014-1831 CVE-2014-1832 rubygem-passenger: insecure use of temporary files"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-1832",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Phusion Passenger 4.0.37 allows local users to write to certain files and directories via a symlink attack on (1) control_process.pid or a (2) generation-* file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1831."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20140129 Re: CVE request: temporary file issue in Passenger rubygem",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2014/01/29/6"
},
{
"name": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736958",
"refsource": "CONFIRM",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736958"
},
{
"name": "[oss-security] 20150130 Re: CVE request: temporary file issue in Passenger rubygem",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2014/01/30/3"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1058992",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1058992"
},
{
"name": "FEDORA-2015-1151",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-February/149032.html"
},
{
"name": "https://github.com/phusion/passenger/commit/94428057c602da3d6d34ef75c78091066ecac5c0",
"refsource": "CONFIRM",
"url": "https://github.com/phusion/passenger/commit/94428057c602da3d6d34ef75c78091066ecac5c0"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2014-1832",
"cvss_v2": 2.1,
"date": "2014-01-29",
"description": "Phusion Passenger 4.0.37 allows local users to write to certain files and directories via a symlink attack on (1) control_process.pid or a (2) generation-* file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1831.",
"gem": "passenger",
"osvdb": 102613,
"patched_versions": [
"\u003e= 4.0.38"
],
"title": "CVE-2014-1831 CVE-2014-1832 rubygem-passenger: insecure use of temporary files",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-1832"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c4.0.38",
"affected_versions": "All versions before 4.0.38",
"credit": "Hongli Lai",
"cvss_v2": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2015-02-20",
"description": "This package contains a flaw as the program creates the server instance directory insecurely. It is possible for a local attacker to use a symlink attack against the directory to cause the program to unexpectedly overwrite an arbitrary file.",
"fixed_versions": [
"4.0.38"
],
"identifier": "CVE-2014-1832",
"identifiers": [
"CVE-2014-1832"
],
"not_impacted": "All versions starting from 4.0.38",
"package_slug": "gem/passenger",
"pubdate": "2015-02-19",
"solution": "Upgrade to version 4.0.38 or above.",
"title": "Server Instance Directory Creation Local Symlink File Overwrite",
"urls": [
"https://github.com/phusion/passenger/commit/34b1087870c2bf85ebfd72c30b78577e10ab9744"
],
"uuid": "6dcf5393-afe4-46a2-9fb8-97e7213be338"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:phusion:passenger:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "4.0.36",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-1832"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Phusion Passenger 4.0.37 allows local users to write to certain files and directories via a symlink attack on (1) control_process.pid or a (2) generation-* file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1831."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/phusion/passenger/commit/94428057c602da3d6d34ef75c78091066ecac5c0",
"refsource": "CONFIRM",
"tags": [],
"url": "https://github.com/phusion/passenger/commit/94428057c602da3d6d34ef75c78091066ecac5c0"
},
{
"name": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736958",
"refsource": "CONFIRM",
"tags": [],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736958"
},
{
"name": "[oss-security] 20140129 Re: CVE request: temporary file issue in Passenger rubygem",
"refsource": "MLIST",
"tags": [],
"url": "http://openwall.com/lists/oss-security/2014/01/29/6"
},
{
"name": "[oss-security] 20150130 Re: CVE request: temporary file issue in Passenger rubygem",
"refsource": "MLIST",
"tags": [],
"url": "http://openwall.com/lists/oss-security/2014/01/30/3"
},
{
"name": "FEDORA-2015-1151",
"refsource": "FEDORA",
"tags": [],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-February/149032.html"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1058992",
"refsource": "CONFIRM",
"tags": [],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1058992"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "LOW",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2015-02-20T23:58Z",
"publishedDate": "2015-02-19T15:59Z"
}
}
}
GSD-2014-1831
Vulnerability from gsd - Updated: 2014-01-28 00:00Details
Phusion Passenger before 4.0.37 allows local users to write to certain files and directories via a symlink attack on (1) control_process.pid or a (2) generation-* file.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2014-1831",
"description": "Phusion Passenger before 4.0.37 allows local users to write to certain files and directories via a symlink attack on (1) control_process.pid or a (2) generation-* file.",
"id": "GSD-2014-1831",
"references": [
"https://www.suse.com/security/cve/CVE-2014-1831.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "passenger",
"purl": "pkg:gem/passenger"
}
}
],
"aliases": [
"CVE-2014-1831",
"OSVDB-102613"
],
"details": "Phusion Passenger before 4.0.37 allows local users to write to certain files and directories via a symlink attack on (1) control_process.pid or a (2) generation-* file.",
"id": "GSD-2014-1831",
"modified": "2014-01-28T00:00:00.000Z",
"published": "2014-01-28T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-1831"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 2.1,
"type": "CVSS_V2"
}
],
"summary": "CVE-2014-1831 CVE-2014-1832 rubygem-passenger: insecure use of temporary files"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-1831",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Phusion Passenger before 4.0.37 allows local users to write to certain files and directories via a symlink attack on (1) control_process.pid or a (2) generation-* file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736958",
"refsource": "CONFIRM",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736958"
},
{
"name": "https://github.com/phusion/passenger/commit/34b1087870c2",
"refsource": "CONFIRM",
"url": "https://github.com/phusion/passenger/commit/34b1087870c2"
},
{
"name": "[oss-security] 20140130 Re: CVE request: temporary file issue in Passenger rubygem",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2014/01/30/3"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1058992",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1058992"
},
{
"name": "FEDORA-2015-1151",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-February/149032.html"
},
{
"name": "[oss-security] 20140128 CVE request: temporary file issue in Passenger rubygem",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2014/01/28/8"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2014-1831",
"cvss_v2": 2.1,
"date": "2014-01-28",
"description": "Phusion Passenger before 4.0.37 allows local users to write to certain files and directories via a symlink attack on (1) control_process.pid or a (2) generation-* file.",
"gem": "passenger",
"osvdb": 102613,
"patched_versions": [
"\u003e= 4.0.37"
],
"title": "CVE-2014-1831 CVE-2014-1832 rubygem-passenger: insecure use of temporary files",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-1831"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=4.0.5 \u003c4.0.33",
"affected_versions": "All versions starting from 4.0.5 before 4.0.33",
"credit": "Jakub Wilk",
"cvss_v2": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2015-02-20",
"description": "Passenger Gem for Ruby contains a flaw as the program creates the server instance directory insecurely. It is possible for a local attacker to use a symlink attack against the directory to cause the program to unexpectedly overwrite an arbitrary file.",
"fixed_versions": [
"4.0.33"
],
"identifier": "CVE-2014-1831",
"identifiers": [
"CVE-2014-1831"
],
"not_impacted": "All versions before 4.0.5, all versions starting from 4.0.33",
"package_slug": "gem/passenger",
"pubdate": "2015-02-19",
"solution": "Upgrade to version 4.0.33 or above.",
"title": "Instance Directory Creation Symlink Arbitrary File Overwrite",
"urls": [
"http://osvdb.org/show/osvdb/102613"
],
"uuid": "e22c9bed-524a-463a-abd9-b28015dfb8e0"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:phusion:passenger:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "4.0.36",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-1831"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Phusion Passenger before 4.0.37 allows local users to write to certain files and directories via a symlink attack on (1) control_process.pid or a (2) generation-* file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736958",
"refsource": "CONFIRM",
"tags": [],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736958"
},
{
"name": "[oss-security] 20140128 CVE request: temporary file issue in Passenger rubygem",
"refsource": "MLIST",
"tags": [],
"url": "http://openwall.com/lists/oss-security/2014/01/28/8"
},
{
"name": "[oss-security] 20140130 Re: CVE request: temporary file issue in Passenger rubygem",
"refsource": "MLIST",
"tags": [],
"url": "http://openwall.com/lists/oss-security/2014/01/30/3"
},
{
"name": "https://github.com/phusion/passenger/commit/34b1087870c2",
"refsource": "CONFIRM",
"tags": [],
"url": "https://github.com/phusion/passenger/commit/34b1087870c2"
},
{
"name": "FEDORA-2015-1151",
"refsource": "FEDORA",
"tags": [],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-February/149032.html"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1058992",
"refsource": "CONFIRM",
"tags": [],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1058992"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "LOW",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2015-02-20T23:56Z",
"publishedDate": "2015-02-19T15:59Z"
}
}
}