CVSS: 4.6EPSS: 0%CPEs: 26EXPL: 0CVE-2013-2119 – rubygem-passenger: incorrect temporary file usage
https://notcve.org/view.php?id=CVE-2013-2119
Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby allows local users to cause a denial of service (prevent application start) or gain privileges by pre-creating a temporary "config" file in a directory with a predictable name in /tmp/ before it is used by the gem. Las versiones 3.0.21 y 4.0.x anteriores a 4.0.5 de la gema Phusion Passenger para Ruby permite a usuarios locales causar denegación de servicio (prevención de inicio de la aplicación) u obtener privilegios creando un fichero "config" temporal en un directorio con un nombre predecible en /tmp/ antes de que sea utilizado por la gema. • http://blog.phusion.nl/2013/05/29/phusion-passenger-3-0-21-released http://blog.phusion.nl/2013/05/29/phusion-passenger-4-0-5-released http://rhn.redhat.com/errata/RHSA-2013-1136.html https://bugzilla.redhat.com/show_bug.cgi?id=892813 https://access.redhat.com/security/cve/CVE-2013-2119 • CWE-264: Permissions, Privileges, and Access Controls CWE-377: Insecure Temporary File •
CVSS: 4.6EPSS: 0%CPEs: 6EXPL: 0CVE-2013-4136 – rubygem-passenger: insecure temporary directory usage due to reuse of existing server instance directories
https://notcve.org/view.php?id=CVE-2013-4136
ext/common/ServerInstanceDir.h in Phusion Passenger gem before 4.0.6 for Ruby allows local users to gain privileges or possibly change the ownership of arbitrary directories via a symlink attack on a directory with a predictable name in /tmp/. ext/common/ServerInstanceDir.h en Phusion Passenger gem anteriores a 4.0.6 para Ruby permite a usuarios locales obtener privilegios o posiblemente cambiar el propietario de directorios arbitrarios a través de un ataque de enlaces simbólicos sobre un directorio con nombre predecible en /tmp/. • http://rhn.redhat.com/errata/RHSA-2013-1136.html http://www.openwall.com/lists/oss-security/2013/07/16/6 https://code.google.com/p/phusion-passenger/issues/detail?id=910 https://github.com/phusion/passenger/blob/release-4.0.6/NEWS https://github.com/phusion/passenger/commit/5483b3292cc2af1c83033eaaadec20dba4dcfd9b https://access.redhat.com/security/cve/CVE-2013-4136 https://bugzilla.redhat.com/show_bug.cgi?id=985633 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •