// For flags

CVE-2013-4136

rubygem-passenger: insecure temporary directory usage due to reuse of existing server instance directories

Severity Score

7.8
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

ext/common/ServerInstanceDir.h in Phusion Passenger gem before 4.0.6 for Ruby allows local users to gain privileges or possibly change the ownership of arbitrary directories via a symlink attack on a directory with a predictable name in /tmp/.

ext/common/ServerInstanceDir.h en Phusion Passenger gem anteriores a 4.0.6 para Ruby permite a usuarios locales obtener privilegios o posiblemente cambiar el propietario de directorios arbitrarios a través de un ataque de enlaces simbólicos sobre un directorio con nombre predecible en /tmp/.

rubygem-passenger is a web server for Ruby, Python and Node.js applications. The rubygem-passenger gem created and re-used temporary directories and files in an insecure fashion. A local attacker could use these flaws to conduct a denial of service attack, take over the operation of the application or, potentially, execute arbitrary code with the privileges of the user running rubygem-passenger. Note: By default, OpenShift Enterprise uses polyinstantiation for the /tmp/ directory, thereby minimizing the risk and impact of exploitation by local attackers of both CVE-2013-2119 and CVE-2013-4136.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
Attack Vector
Local
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2013-06-12 CVE Reserved
  • 2013-08-05 CVE Published
  • 2024-09-17 CVE Updated
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-59: Improper Link Resolution Before File Access ('Link Following')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Phusion
Search vendor "Phusion"
 Passenger
Search vendor "Phusion" for product "Passenger"
 <= 4.0.5
Search vendor "Phusion" for product "Passenger" and version " <= 4.0.5"
-
Affected
in Ruby-lang
Search vendor "Ruby-lang"
 Ruby
Search vendor "Ruby-lang" for product "Ruby"
*-
Safe
Phusion
Search vendor "Phusion"
 Passenger
Search vendor "Phusion" for product "Passenger"
 4.0.1
Search vendor "Phusion" for product "Passenger" and version "4.0.1"
-
Affected
in Ruby-lang
Search vendor "Ruby-lang"
 Ruby
Search vendor "Ruby-lang" for product "Ruby"
*-
Safe
Phusion
Search vendor "Phusion"
 Passenger
Search vendor "Phusion" for product "Passenger"
 4.0.2
Search vendor "Phusion" for product "Passenger" and version "4.0.2"
-
Affected
in Ruby-lang
Search vendor "Ruby-lang"
 Ruby
Search vendor "Ruby-lang" for product "Ruby"
*-
Safe
Phusion
Search vendor "Phusion"
 Passenger
Search vendor "Phusion" for product "Passenger"
 4.0.3
Search vendor "Phusion" for product "Passenger" and version "4.0.3"
-
Affected
in Ruby-lang
Search vendor "Ruby-lang"
 Ruby
Search vendor "Ruby-lang" for product "Ruby"
*-
Safe
Phusion
Search vendor "Phusion"
 Passenger
Search vendor "Phusion" for product "Passenger"
 4.0.4
Search vendor "Phusion" for product "Passenger" and version "4.0.4"
-
Affected
in Ruby-lang
Search vendor "Ruby-lang"
 Ruby
Search vendor "Ruby-lang" for product "Ruby"
*-
Safe