CVE-2014-1831 — Insecure use of temporary files in passenger

Description

Phusion Passenger before 4.0.37 allows local users to write to certain files and directories via a symlink attack on (1) control_process.pid or a (2) generation-* file.

How to fix CVE-2014-1831

To remediate CVE-2014-1831, upgrade the affected package to a fixed version below.

Debian/passenger—upgrade to 4.0.37-1 or later
RubyGems/passenger—upgrade to 4.0.38 or later

Is CVE-2014-1831 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 4.0.37-1
from 0, < 4.0.38

References (11)

ADVISORYgithub.com/advisories/GHSA-c7j7-p5jq-26ff
ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-1831
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2014-1831
PATCHgithub.com/phusion/passenger
WEB