CVE-2013-7134
https://notcve.org/view.php?id=CVE-2013-7134
Juvia uses the same secret key for all installations, which allows remote attackers to have unspecified impact by leveraging the secret key in app/config/initializers/secret_token.rb, related to cookies. Juvia utiliza la misma clave secreta para todas las instalaciones, lo que permite a atacantes remotos tener un impacto no especificado mediante el aprovechamiento de la clave secreta en app/config/initializers/secret_token.rb, relacionado con cookies. • http://www.openwall.com/lists/oss-security/2013/12/16/3 http://www.openwall.com/lists/oss-security/2013/12/18/1 https://github.com/phusion/juvia/issues/55 • CWE-255: Credentials Management Errors •
CVE-2013-2119 – rubygem-passenger: incorrect temporary file usage
https://notcve.org/view.php?id=CVE-2013-2119
Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby allows local users to cause a denial of service (prevent application start) or gain privileges by pre-creating a temporary "config" file in a directory with a predictable name in /tmp/ before it is used by the gem. Las versiones 3.0.21 y 4.0.x anteriores a 4.0.5 de la gema Phusion Passenger para Ruby permite a usuarios locales causar denegación de servicio (prevención de inicio de la aplicación) u obtener privilegios creando un fichero "config" temporal en un directorio con un nombre predecible en /tmp/ antes de que sea utilizado por la gema. • http://blog.phusion.nl/2013/05/29/phusion-passenger-3-0-21-released http://blog.phusion.nl/2013/05/29/phusion-passenger-4-0-5-released http://rhn.redhat.com/errata/RHSA-2013-1136.html https://bugzilla.redhat.com/show_bug.cgi?id=892813 https://access.redhat.com/security/cve/CVE-2013-2119 • CWE-264: Permissions, Privileges, and Access Controls CWE-377: Insecure Temporary File •
CVE-2013-4136 – rubygem-passenger: insecure temporary directory usage due to reuse of existing server instance directories
https://notcve.org/view.php?id=CVE-2013-4136
ext/common/ServerInstanceDir.h in Phusion Passenger gem before 4.0.6 for Ruby allows local users to gain privileges or possibly change the ownership of arbitrary directories via a symlink attack on a directory with a predictable name in /tmp/. ext/common/ServerInstanceDir.h en Phusion Passenger gem anteriores a 4.0.6 para Ruby permite a usuarios locales obtener privilegios o posiblemente cambiar el propietario de directorios arbitrarios a través de un ataque de enlaces simbólicos sobre un directorio con nombre predecible en /tmp/. • http://rhn.redhat.com/errata/RHSA-2013-1136.html http://www.openwall.com/lists/oss-security/2013/07/16/6 https://code.google.com/p/phusion-passenger/issues/detail?id=910 https://github.com/phusion/passenger/blob/release-4.0.6/NEWS https://github.com/phusion/passenger/commit/5483b3292cc2af1c83033eaaadec20dba4dcfd9b https://access.redhat.com/security/cve/CVE-2013-4136 https://bugzilla.redhat.com/show_bug.cgi?id=985633 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •