Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2013-2119
Vulnerability from gsd - Updated: 2013-05-29 00:00Details
Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby allows local users to cause a denial of service (prevent application start) or gain privileges by pre-creating a temporary "config" file in a directory with a predictable name in /tmp/ before it is used by the gem.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-2119",
"description": "Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby allows local users to cause a denial of service (prevent application start) or gain privileges by pre-creating a temporary \"config\" file in a directory with a predictable name in /tmp/ before it is used by the gem.",
"id": "GSD-2013-2119",
"references": [
"https://www.suse.com/security/cve/CVE-2013-2119.html",
"https://access.redhat.com/errata/RHSA-2013:1136",
"https://advisories.mageia.org/CVE-2013-2119.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "passenger",
"purl": "pkg:gem/passenger"
}
}
],
"aliases": [
"CVE-2013-2119",
"OSVDB-93752"
],
"details": "Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby allows local users to cause a denial of service (prevent application start) or gain privileges by pre-creating a temporary \"config\" file in a directory with a predictable name in /tmp/ before it is used by the gem.",
"id": "GSD-2013-2119",
"modified": "2013-05-29T00:00:00.000Z",
"published": "2013-05-29T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2119"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 4.6,
"type": "CVSS_V2"
}
],
"summary": "CVE-2013-2119 rubygem-passenger: incorrect temporary file usage"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-2119",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby allows local users to cause a denial of service (prevent application start) or gain privileges by pre-creating a temporary \"config\" file in a directory with a predictable name in /tmp/ before it is used by the gem."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://blog.phusion.nl/2013/05/29/phusion-passenger-3-0-21-released/",
"refsource": "MISC",
"url": "http://blog.phusion.nl/2013/05/29/phusion-passenger-3-0-21-released/"
},
{
"name": "http://blog.phusion.nl/2013/05/29/phusion-passenger-4-0-5-released/",
"refsource": "MISC",
"url": "http://blog.phusion.nl/2013/05/29/phusion-passenger-4-0-5-released/"
},
{
"name": "http://rhn.redhat.com/errata/RHSA-2013-1136.html",
"refsource": "MISC",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1136.html"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=892813",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=892813"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2013-2119",
"cvss_v2": 4.6,
"date": "2013-05-29",
"description": "Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby allows local users to cause a denial of service (prevent application start) or gain privileges by pre-creating a temporary \"config\" file in a directory with a predictable name in /tmp/ before it is used by the gem.",
"gem": "passenger",
"osvdb": 93752,
"patched_versions": [
"~\u003e 3.0.21",
"\u003e= 4.0.5"
],
"title": "CVE-2013-2119 rubygem-passenger: incorrect temporary file usage",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2119"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=3.0.0 \u003c3.0.21 || \u003e=4.0.0 \u003c4.0.5",
"affected_versions": "All versions starting from 3.0.0 before 3.0.21, all versions starting from 4.0.0 before 4.0.5",
"credit": "Michael Scherer",
"cvss_v2": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-264",
"CWE-937"
],
"date": "2016-12-06",
"description": "The passenger ruby gem, when used in standalone mode, does not use temporary files securely. If a local attacker were able to create a temporary directory that passenger uses and supply a custom nginx configuration file they could start a nginx instance with their own configuration file.",
"fixed_versions": [
"3.0.21",
"4.0.5"
],
"identifier": "CVE-2013-2119",
"identifiers": [
"CVE-2013-2119"
],
"package_slug": "gem/passenger",
"pubdate": "2014-01-03",
"solution": "Update to latest 3.0.X or 4.0.X",
"title": "Incorrect temporary file usage",
"urls": [
"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2119",
"https://bugzilla.redhat.com/show_bug.cgi?id=892813"
],
"uuid": "76fb1e27-a19f-46e8-900a-8a7f2b6608e9"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:phusion:passenger:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "3.0.20",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:phusion:passenger:3.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:phusion:passenger:3.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:phusion:passenger:3.0.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:phusion:passenger:3.0.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:phusion:passenger:3.0.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:phusion:passenger:3.0.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:phusion:passenger:3.0.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:phusion:passenger:3.0.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:phusion:passenger:3.0.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:phusion:passenger:3.0.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:phusion:passenger:3.0.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:phusion:passenger:3.0.11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:phusion:passenger:3.0.12:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:phusion:passenger:3.0.13:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:phusion:passenger:3.0.14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:phusion:passenger:3.0.15:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:phusion:passenger:3.0.17:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:phusion:passenger:3.0.18:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:phusion:passenger:3.0.19:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:phusion:passenger:4.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:phusion:passenger:4.0.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:phusion:passenger:4.0.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:phusion:passenger:4.0.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:redhat:openshift:1.0:*:enterprise:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-2119"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby allows local users to cause a denial of service (prevent application start) or gain privileges by pre-creating a temporary \"config\" file in a directory with a predictable name in /tmp/ before it is used by the gem."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://blog.phusion.nl/2013/05/29/phusion-passenger-3-0-21-released/",
"refsource": "CONFIRM",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.phusion.nl/2013/05/29/phusion-passenger-3-0-21-released/"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=892813",
"refsource": "CONFIRM",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=892813"
},
{
"name": "http://blog.phusion.nl/2013/05/29/phusion-passenger-4-0-5-released/",
"refsource": "CONFIRM",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.phusion.nl/2013/05/29/phusion-passenger-4-0-5-released/"
},
{
"name": "RHSA-2013:1136",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1136.html"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2023-02-13T04:42Z",
"publishedDate": "2014-01-03T18:54Z"
}
}
}