CVE-2018-12615 — Phusion Passenger incorrect permission assignment

Description

An issue was discovered in switchGroup() in agent/ExecHelper/ExecHelperMain.cpp in Phusion Passenger before 5.3.2. The set of groups (gidset) is not set correctly, leaving it up to randomness (i.e., uninitialized memory) which supplementary groups are actually being set while lowering privileges.

How to fix CVE-2018-12615

To remediate CVE-2018-12615, upgrade the affected package to a fixed version below.

—upgrade to 5.3.2 or later

Is CVE-2018-12615 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 5.3.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-12615
PATCHgithub.com/phusion/passenger
WEBgithub.com/phusion/passenger/commit/4e97fdb86d0a0141ec9a052c6e691fcd07bb45c8
WEBgithub.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2018-12615.yml