CVE-2013-2119

Description

Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby allows local users to cause a denial of service (prevent application start) or gain privileges by pre-creating a temporary "config" file in a directory with a predictable name in `/tmp/` before it is used by the gem.

How to fix CVE-2013-2119

To remediate CVE-2013-2119, upgrade the affected package to a fixed version below.

• RubyGems/passenger—upgrade to 3.0.21 or later

Is CVE-2013-2119 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 3.0.21

References (9)

• ADVISORYgithub.com/advisories/GHSA-9qj7-jvg4-qr2x
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-2119
• WEBblog.phusion.nl/2013/05/29/phusion-passenger-3-0-21-released
• WEBblog.phusion.nl/2013/05/29/phusion-passenger-4-0-5-released
• WEB