Package Instance

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/phusion/passenger/commit/bb15591646687064ab2d578d5f9660b2a4168017

reference_url

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-24T16:59:12Z/

url

https://github.com/phusion/passenger/commit/bb15591646687064ab2d578d5f9660b2a4168017

reference_url

https://github.com/phusion/passenger/compare/release-6.0.25...release-6.0.26

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-24T16:59:12Z/

url

https://github.com/phusion/passenger/compare/release-6.0.25...release-6.0.26

reference_url

https://github.com/phusion/passenger/releases/tag/release-6.0.26

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-24T16:59:12Z/

url

https://github.com/phusion/passenger/releases/tag/release-6.0.26

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2025-26803.yml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2025-26803.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-26803

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-26803

reference_url

https://www.phusionpassenger.com/support

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-24T16:59:12Z/

url

https://www.phusionpassenger.com/support

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098909
reference_id	1098909
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098909

reference_url

https://blog.phusion.nl/2025/02/19/passenger-6-0-26/

reference_id

passenger-6-0-26

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-24T16:59:12Z/

url

https://blog.phusion.nl/2025/02/19/passenger-6-0-26/

fixed_packages

url	pkg:deb/debian/passenger@0?distro=trixie
purl	pkg:deb/debian/passenger@0?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@0%3Fdistro=trixie

url pkg:deb/debian/passenger@5.0.30-1.2%2Bdeb11u1?distro=trixie

purl pkg:deb/debian/passenger@5.0.30-1.2%2Bdeb11u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-fhu6-3k8p-aub2

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@5.0.30-1.2%252Bdeb11u1%3Fdistro=trixie

url	pkg:deb/debian/passenger@6.0.17%2Bds-1?distro=trixie
purl	pkg:deb/debian/passenger@6.0.17%2Bds-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@6.0.17%252Bds-1%3Fdistro=trixie

url	pkg:deb/debian/passenger@6.0.26%2Bds-1?distro=trixie
purl	pkg:deb/debian/passenger@6.0.26%2Bds-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@6.0.26%252Bds-1%3Fdistro=trixie

url	pkg:deb/debian/passenger@6.0.26%2Bds-1.1?distro=trixie
purl	pkg:deb/debian/passenger@6.0.26%2Bds-1.1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@6.0.26%252Bds-1.1%3Fdistro=trixie

url	pkg:deb/debian/passenger@6.1.1%2Bds-1?distro=trixie
purl	pkg:deb/debian/passenger@6.1.1%2Bds-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@6.1.1%252Bds-1%3Fdistro=trixie

aliases CVE-2025-26803, GHSA-2cj2-qqxj-5m3r

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-32zq-s261-57fa

url VCID-4agx-j827-hbex

vulnerability_id VCID-4agx-j827-hbex

summary

Utils.cpp Temporary Directory Creation Symlink Local Privilege Escalation
This package contains a flaw as the program creates temporary directories insecurely. It is possible for a local attacker to use a symlink attack against the Utils.cpp file to allow the attacker to gain elevated privileges.

references

reference_url

http://rhn.redhat.com/errata/RHSA-2013-1136.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://rhn.redhat.com/errata/RHSA-2013-1136.html

reference_url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-4136.json
reference_id
reference_type
scores
url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-4136.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2013-4136

reference_id

reference_type

scores

value	0.00044
scoring_system	epss
scoring_elements	0.13424
published_at	2026-04-21T12:55:00Z

value	0.00044
scoring_system	epss
scoring_elements	0.1362
published_at	2026-04-04T12:55:00Z

value	0.00044
scoring_system	epss
scoring_elements	0.13417
published_at	2026-04-07T12:55:00Z

value	0.00044
scoring_system	epss
scoring_elements	0.13499
published_at	2026-04-08T12:55:00Z

value	0.00044
scoring_system	epss
scoring_elements	0.13548
published_at	2026-04-09T12:55:00Z

value	0.00044
scoring_system	epss
scoring_elements	0.13521
published_at	2026-04-11T12:55:00Z

value	0.00044
scoring_system	epss
scoring_elements	0.13484
published_at	2026-04-12T12:55:00Z

value	0.00044
scoring_system	epss
scoring_elements	0.13438
published_at	2026-04-13T12:55:00Z

value	0.00044
scoring_system	epss
scoring_elements	0.1335
published_at	2026-04-16T12:55:00Z

value	0.00044
scoring_system	epss
scoring_elements	0.13349
published_at	2026-04-18T12:55:00Z

value	0.00044
scoring_system	epss
scoring_elements	0.13459
published_at	2026-04-01T12:55:00Z

value	0.00044
scoring_system	epss
scoring_elements	0.13558
published_at	2026-04-02T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2013-4136

reference_url

https://code.google.com/p/phusion-passenger/issues/detail?id=910

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://code.google.com/p/phusion-passenger/issues/detail?id=910

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4136
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4136

reference_url

https://github.com/advisories/GHSA-w6rc-q387-vpgq

reference_id

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/advisories/GHSA-w6rc-q387-vpgq

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/phusion/passenger/blob/release-4.0.6/NEWS

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/phusion/passenger/blob/release-4.0.6/NEWS

reference_url

https://github.com/phusion/passenger/commit/5483b3292cc2af1c83033eaaadec20dba4dcfd9b

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/phusion/passenger/commit/5483b3292cc2af1c83033eaaadec20dba4dcfd9b

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2013-4136.yml

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2013-4136.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2013-4136

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2013-4136

reference_url

http://www.openwall.com/lists/oss-security/2013/07/16/6

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2013/07/16/6

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=985633
reference_id	985633
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=985633

fixed_packages

url	pkg:deb/debian/passenger@3.0.13debian-1.2?distro=trixie
purl	pkg:deb/debian/passenger@3.0.13debian-1.2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@3.0.13debian-1.2%3Fdistro=trixie

url pkg:deb/debian/passenger@5.0.30-1.2%2Bdeb11u1?distro=trixie

purl pkg:deb/debian/passenger@5.0.30-1.2%2Bdeb11u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-fhu6-3k8p-aub2

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@5.0.30-1.2%252Bdeb11u1%3Fdistro=trixie

url	pkg:deb/debian/passenger@6.0.17%2Bds-1?distro=trixie
purl	pkg:deb/debian/passenger@6.0.17%2Bds-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@6.0.17%252Bds-1%3Fdistro=trixie

url	pkg:deb/debian/passenger@6.0.26%2Bds-1.1?distro=trixie
purl	pkg:deb/debian/passenger@6.0.26%2Bds-1.1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@6.0.26%252Bds-1.1%3Fdistro=trixie

url	pkg:deb/debian/passenger@6.1.1%2Bds-1?distro=trixie
purl	pkg:deb/debian/passenger@6.1.1%2Bds-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@6.1.1%252Bds-1%3Fdistro=trixie

aliases CVE-2013-4136, GHSA-w6rc-q387-vpgq, OSV-94074

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4agx-j827-hbex

url VCID-a91w-ppku-ebfc

vulnerability_id VCID-a91w-ppku-ebfc

summary

Information Exposure
Given a Passenger-spawned application process that reports that it listens on a certain Unix domain socket, if any of the parent directories of said socket are writable by a normal user that is not the application's user, then that non-application user can swap that directory with something else, resulting in traffic being redirected to a non-application user's process through an alternative Unix domain socket.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-12027.json

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-12027.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2018-12027

reference_id

reference_type

scores

value	0.00275
scoring_system	epss
scoring_elements	0.50967
published_at	2026-04-21T12:55:00Z

value	0.00275
scoring_system	epss
scoring_elements	0.50987
published_at	2026-04-18T12:55:00Z

value	0.00275
scoring_system	epss
scoring_elements	0.50927
published_at	2026-04-04T12:55:00Z

value	0.00275
scoring_system	epss
scoring_elements	0.50939
published_at	2026-04-09T12:55:00Z

value	0.00275
scoring_system	epss
scoring_elements	0.50846
published_at	2026-04-01T12:55:00Z

value	0.00275
scoring_system	epss
scoring_elements	0.50942
published_at	2026-04-08T12:55:00Z

value	0.00275
scoring_system	epss
scoring_elements	0.50885
published_at	2026-04-07T12:55:00Z

value	0.00275
scoring_system	epss
scoring_elements	0.50901
published_at	2026-04-02T12:55:00Z

value	0.00275
scoring_system	epss
scoring_elements	0.50943
published_at	2026-04-13T12:55:00Z

value	0.00275
scoring_system	epss
scoring_elements	0.5096
published_at	2026-04-12T12:55:00Z

value	0.00275
scoring_system	epss
scoring_elements	0.50981
published_at	2026-04-16T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2018-12027

reference_url

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3
scoring_elements

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

reference_url

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2018-12027.yml

reference_url

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2018-12027.yml

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1592619
reference_id	1592619
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1592619

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusion:passenger::::::::
reference_id	cpe:2.3:a:phusion:passenger::::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusion:passenger::::::::

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2018-12027

reference_id

CVE-2018-12027

reference_type

scores

value	6.5
scoring_system	cvssv2
scoring_elements	AV:N/AC:L/Au:S/C:P/I:P/A:P

value	8.8
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2018-12027

reference_url

https://github.com/advisories/GHSA-whfx-877c-5p28

reference_id

GHSA-whfx-877c-5p28

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-whfx-877c-5p28

reference_url

reference_id

GLSA-201807-02

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-12029.json

fixed_packages

url	pkg:deb/debian/passenger@0?distro=trixie
purl	pkg:deb/debian/passenger@0?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@0%3Fdistro=trixie

url pkg:deb/debian/passenger@5.0.30-1.2%2Bdeb11u1?distro=trixie

purl pkg:deb/debian/passenger@5.0.30-1.2%2Bdeb11u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-fhu6-3k8p-aub2

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@5.0.30-1.2%252Bdeb11u1%3Fdistro=trixie

url	pkg:deb/debian/passenger@6.0.17%2Bds-1?distro=trixie
purl	pkg:deb/debian/passenger@6.0.17%2Bds-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@6.0.17%252Bds-1%3Fdistro=trixie

url	pkg:deb/debian/passenger@6.0.26%2Bds-1.1?distro=trixie
purl	pkg:deb/debian/passenger@6.0.26%2Bds-1.1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@6.0.26%252Bds-1.1%3Fdistro=trixie

url	pkg:deb/debian/passenger@6.1.1%2Bds-1?distro=trixie
purl	pkg:deb/debian/passenger@6.1.1%2Bds-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@6.1.1%252Bds-1%3Fdistro=trixie

aliases CVE-2018-12027, GHSA-whfx-877c-5p28

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-a91w-ppku-ebfc

url VCID-e99s-zs31-c3cn

vulnerability_id VCID-e99s-zs31-c3cn

summary

Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)
A race condition in the nginx module in Phusion Passenger allows local escalation of privileges when a non-standard `passenger_instance_registry_dir` with insufficiently strict permissions is configured. Replacing a file with a symlink after the file was created, but before it was chowned, leads to the target of the link being chowned via the path. Targeting sensitive files such as root's crontab file allows privilege escalation.

references

reference_url

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-12029.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2018-12029

reference_id

reference_type

scores

value	0.00099
scoring_system	epss
scoring_elements	0.27451
published_at	2026-04-21T12:55:00Z

value	0.00099
scoring_system	epss
scoring_elements	0.27629
published_at	2026-04-01T12:55:00Z

value	0.00099
scoring_system	epss
scoring_elements	0.27668
published_at	2026-04-02T12:55:00Z

value	0.00099
scoring_system	epss
scoring_elements	0.27706
published_at	2026-04-04T12:55:00Z

value	0.00099
scoring_system	epss
scoring_elements	0.27497
published_at	2026-04-07T12:55:00Z

value	0.00099
scoring_system	epss
scoring_elements	0.27565
published_at	2026-04-08T12:55:00Z

value	0.00099
scoring_system	epss
scoring_elements	0.27608
published_at	2026-04-09T12:55:00Z

value	0.00099
scoring_system	epss
scoring_elements	0.27613
published_at	2026-04-11T12:55:00Z

value	0.00099
scoring_system	epss
scoring_elements	0.27568
published_at	2026-04-12T12:55:00Z

value	0.00099
scoring_system	epss
scoring_elements	0.27512
published_at	2026-04-13T12:55:00Z

value	0.00099
scoring_system	epss
scoring_elements	0.27518
published_at	2026-04-16T12:55:00Z

value	0.00099
scoring_system	epss
scoring_elements	0.27491
published_at	2026-04-18T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2018-12029

reference_url

https://blog.phusion.nl/2018/06/12/passenger-5-3-2-various-security-fixes

reference_id

reference_type

scores

value	7.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://blog.phusion.nl/2018/06/12/passenger-5-3-2-various-security-fixes

reference_url

https://blog.phusion.nl/2018/06/12/passenger-5-3-2-various-security-fixes/

reference_id

reference_type

scores

value	7.0
scoring_system	cvssv3
scoring_elements

url

https://blog.phusion.nl/2018/06/12/passenger-5-3-2-various-security-fixes/

reference_url

reference_id

reference_type

scores

value	7.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12029
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12029

reference_url

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2018-12029.yml

reference_id

reference_type

scores

value	7.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2018-12029.yml

reference_url

https://lists.debian.org/debian-lts-announce/2018/06/msg00007.html

reference_id

reference_type

scores

value	7.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2018/06/msg00007.html

reference_url

https://pulsesecurity.co.nz/advisories/phusion-passenger-priv-esc

reference_id

reference_type

scores

value	7.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://pulsesecurity.co.nz/advisories/phusion-passenger-priv-esc

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1592612
reference_id	1592612
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1592612

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921767
reference_id	921767
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921767

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusion:passenger::::::::
reference_id	cpe:2.3:a:phusion:passenger::::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusion:passenger::::::::

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:::::::*
reference_id	cpe:2.3:o:debian:debian_linux:8.0:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:::::::*

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2018-12029

reference_id

CVE-2018-12029

reference_type

scores

value	4.4
scoring_system	cvssv2
scoring_elements	AV:L/AC:M/Au:N/C:P/I:P/A:P

value	7.0
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

value	7.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2018-12029

reference_url

https://github.com/advisories/GHSA-jjcj-fgfm-9g9r

reference_id

GHSA-jjcj-fgfm-9g9r

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-jjcj-fgfm-9g9r

reference_url

reference_id

GLSA-201807-02

reference_type

scores

value	7.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-12026.json

reference_url	https://usn.ubuntu.com/USN-5261-1/
reference_id	USN-USN-5261-1
reference_type
scores
url	https://usn.ubuntu.com/USN-5261-1/

fixed_packages

url	pkg:deb/debian/passenger@5.0.30-1.1?distro=trixie
purl	pkg:deb/debian/passenger@5.0.30-1.1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@5.0.30-1.1%3Fdistro=trixie

url pkg:deb/debian/passenger@5.0.30-1.2%2Bdeb11u1?distro=trixie

purl pkg:deb/debian/passenger@5.0.30-1.2%2Bdeb11u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-fhu6-3k8p-aub2

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@5.0.30-1.2%252Bdeb11u1%3Fdistro=trixie

url	pkg:deb/debian/passenger@6.0.17%2Bds-1?distro=trixie
purl	pkg:deb/debian/passenger@6.0.17%2Bds-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@6.0.17%252Bds-1%3Fdistro=trixie

url	pkg:deb/debian/passenger@6.0.26%2Bds-1.1?distro=trixie
purl	pkg:deb/debian/passenger@6.0.26%2Bds-1.1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@6.0.26%252Bds-1.1%3Fdistro=trixie

url	pkg:deb/debian/passenger@6.1.1%2Bds-1?distro=trixie
purl	pkg:deb/debian/passenger@6.1.1%2Bds-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@6.1.1%252Bds-1%3Fdistro=trixie

aliases CVE-2018-12029, GHSA-jjcj-fgfm-9g9r

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-e99s-zs31-c3cn

url VCID-etvv-bvc3-qyan

vulnerability_id VCID-etvv-bvc3-qyan

summary

Improper Link Resolution Before File Access
During the spawning of a malicious Passenger-managed application, SpawningKit in Phusion Passenger allows such applications to replace key files or directories in the spawning communication directory with symlinks. This then could result in arbitrary reads and writes, which in turn can result in information disclosure and privilege escalation.

references

reference_url

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-12026.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2018-12026

reference_id

reference_type

scores

value	0.01123
scoring_system	epss
scoring_elements	0.78289
published_at	2026-04-21T12:55:00Z

value	0.01123
scoring_system	epss
scoring_elements	0.78293
published_at	2026-04-18T12:55:00Z

value	0.01123
scoring_system	epss
scoring_elements	0.78295
published_at	2026-04-16T12:55:00Z

value	0.01123
scoring_system	epss
scoring_elements	0.78269
published_at	2026-04-12T12:55:00Z

value	0.01123
scoring_system	epss
scoring_elements	0.78247
published_at	2026-04-04T12:55:00Z

value	0.01123
scoring_system	epss
scoring_elements	0.78217
published_at	2026-04-02T12:55:00Z

value	0.01123
scoring_system	epss
scoring_elements	0.78264
published_at	2026-04-13T12:55:00Z

value	0.01123
scoring_system	epss
scoring_elements	0.78208
published_at	2026-04-01T12:55:00Z

value	0.01123
scoring_system	epss
scoring_elements	0.78286
published_at	2026-04-11T12:55:00Z

value	0.01123
scoring_system	epss
scoring_elements	0.78261
published_at	2026-04-09T12:55:00Z

value	0.01123
scoring_system	epss
scoring_elements	0.78255
published_at	2026-04-08T12:55:00Z

value	0.01123
scoring_system	epss
scoring_elements	0.78229
published_at	2026-04-07T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2018-12026

reference_url

https://blog.phusion.nl/2018/06/12/passenger-5-3-2-various-security-fixes

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://blog.phusion.nl/2018/06/12/passenger-5-3-2-various-security-fixes

reference_url

https://blog.phusion.nl/2018/06/12/passenger-5-3-2-various-security-fixes/

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3
scoring_elements

url

https://blog.phusion.nl/2018/06/12/passenger-5-3-2-various-security-fixes/

reference_url

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

reference_url

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/phusion/passenger/commit/fd3717a3cd357aa0e80e1e81d4dc94a1eaf928f1

reference_url

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/phusion/passenger/commit/fd3717a3cd357aa0e80e1e81d4dc94a1eaf928f1

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2018-12026.yml

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2018-12026.yml

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1592616
reference_id	1592616
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1592616

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusion:passenger::::::::
reference_id	cpe:2.3:a:phusion:passenger::::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusion:passenger::::::::

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2018-12026

reference_id

CVE-2018-12026

reference_type

scores

value	7.5
scoring_system	cvssv2
scoring_elements	AV:N/AC:L/Au:N/C:P/I:P/A:P

value	9.8
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2018-12026

reference_url

https://github.com/advisories/GHSA-7cv3-gvmc-8mq5

reference_id

GHSA-7cv3-gvmc-8mq5

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-7cv3-gvmc-8mq5

reference_url

reference_id

GLSA-201807-02

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-10345.json

fixed_packages

url	pkg:deb/debian/passenger@0?distro=trixie
purl	pkg:deb/debian/passenger@0?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@0%3Fdistro=trixie

url pkg:deb/debian/passenger@5.0.30-1.2%2Bdeb11u1?distro=trixie

purl pkg:deb/debian/passenger@5.0.30-1.2%2Bdeb11u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-fhu6-3k8p-aub2

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@5.0.30-1.2%252Bdeb11u1%3Fdistro=trixie

url	pkg:deb/debian/passenger@6.0.17%2Bds-1?distro=trixie
purl	pkg:deb/debian/passenger@6.0.17%2Bds-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@6.0.17%252Bds-1%3Fdistro=trixie

url	pkg:deb/debian/passenger@6.0.26%2Bds-1.1?distro=trixie
purl	pkg:deb/debian/passenger@6.0.26%2Bds-1.1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@6.0.26%252Bds-1.1%3Fdistro=trixie

url	pkg:deb/debian/passenger@6.1.1%2Bds-1?distro=trixie
purl	pkg:deb/debian/passenger@6.1.1%2Bds-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@6.1.1%252Bds-1%3Fdistro=trixie

aliases CVE-2018-12026, GHSA-7cv3-gvmc-8mq5

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-etvv-bvc3-qyan

url VCID-fhu6-3k8p-aub2

vulnerability_id VCID-fhu6-3k8p-aub2

summary

Predictable tmp File Path Vulnerability
A known /tmp filename is used during passenger-install-nginx-module execution, which can allow local attackers to gain the privileges of the passenger user.

references

reference_url

reference_id

reference_type

scores

value	5.5
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-10345.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2016-10345

reference_id

reference_type

scores

value	0.00064
scoring_system	epss
scoring_elements	0.19919
published_at	2026-04-21T12:55:00Z

value	0.00064
scoring_system	epss
scoring_elements	0.19922
published_at	2026-04-18T12:55:00Z

value	0.00064
scoring_system	epss
scoring_elements	0.19918
published_at	2026-04-16T12:55:00Z

value	0.00064
scoring_system	epss
scoring_elements	0.19951
published_at	2026-04-01T12:55:00Z

value	0.00064
scoring_system	epss
scoring_elements	0.20018
published_at	2026-04-09T12:55:00Z

value	0.00064
scoring_system	epss
scoring_elements	0.19964
published_at	2026-04-08T12:55:00Z

value	0.00064
scoring_system	epss
scoring_elements	0.19885
published_at	2026-04-07T12:55:00Z

value	0.00064
scoring_system	epss
scoring_elements	0.20155
published_at	2026-04-04T12:55:00Z

value	0.00064
scoring_system	epss
scoring_elements	0.20098
published_at	2026-04-02T12:55:00Z

value	0.00064
scoring_system	epss
scoring_elements	0.19935
published_at	2026-04-13T12:55:00Z

value	0.00064
scoring_system	epss
scoring_elements	0.19993
published_at	2026-04-12T12:55:00Z

value	0.00064
scoring_system	epss
scoring_elements	0.20038
published_at	2026-04-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2016-10345

reference_url

https://blog.phusion.nl/2017/01/10/passenger-5-1-1

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://blog.phusion.nl/2017/01/10/passenger-5-1-1

reference_url

https://blog.phusion.nl/2017/01/10/passenger-5-1-1/

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3
scoring_elements

url

https://blog.phusion.nl/2017/01/10/passenger-5-1-1/

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10345
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10345

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv2
scoring_elements	AV:L/AC:L/Au:S/C:C/I:C/A:C

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/advisories/GHSA-cqxw-3p7v-p9gr

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/advisories/GHSA-cqxw-3p7v-p9gr

reference_url

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/phusion/passenger/blob/stable-5.1/CHANGELOG

reference_url

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/phusion/passenger/blob/stable-5.1/CHANGELOG

reference_url

https://github.com/phusion/passenger/commit/e5b4b0824d6b648525b4bf63d9fa37e5beeae441

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/phusion/passenger/commit/e5b4b0824d6b648525b4bf63d9fa37e5beeae441

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2016-10345.yml

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2016-10345.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2016-10345

reference_id

reference_type

scores

value	4.6
scoring_system	cvssv2
scoring_elements	AV:L/AC:L/Au:N/C:P/I:P/A:P

value	7.8
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2016-10345

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1445306
reference_id	1445306
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1445306

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusion:passenger::::::::
reference_id	cpe:2.3:a:phusion:passenger::::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusion:passenger::::::::

fixed_packages

url	pkg:deb/debian/passenger@6.0.10-1?distro=trixie
purl	pkg:deb/debian/passenger@6.0.10-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@6.0.10-1%3Fdistro=trixie

url	pkg:deb/debian/passenger@6.0.17%2Bds-1?distro=trixie
purl	pkg:deb/debian/passenger@6.0.17%2Bds-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@6.0.17%252Bds-1%3Fdistro=trixie

url	pkg:deb/debian/passenger@6.0.26%2Bds-1.1?distro=trixie
purl	pkg:deb/debian/passenger@6.0.26%2Bds-1.1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@6.0.26%252Bds-1.1%3Fdistro=trixie

url	pkg:deb/debian/passenger@6.1.1%2Bds-1?distro=trixie
purl	pkg:deb/debian/passenger@6.1.1%2Bds-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@6.1.1%252Bds-1%3Fdistro=trixie

aliases CVE-2016-10345, GHSA-cqxw-3p7v-p9gr

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fhu6-3k8p-aub2

url VCID-ge31-t14g-e3bb

vulnerability_id VCID-ge31-t14g-e3bb

summary

Header overwriting
It is possible in some cases, for clients to overwrite headers set by the server, resulting in a medium level security issue. Passenger 5 uses an SCGI-inspired format to pass headers to Ruby/Python applications, while Passenger 4 uses an SCGI-inspired format to pass headers to all applications. This implies a conversion to UPPER_CASE_WITH_UNDERSCORES whereby the difference between characters like '-' and '_' is lost. See "Affected use-cases" in provided link to establish wether one particular application is affected.

references

reference_url

http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00024.html

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00024.html

reference_url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-7519.json
reference_id
reference_type
scores
url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-7519.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2015-7519

reference_id

reference_type

scores

value	0.00361
scoring_system	epss
scoring_elements	0.58248
published_at	2026-04-04T12:55:00Z

value	0.00361
scoring_system	epss
scoring_elements	0.58268
published_at	2026-04-21T12:55:00Z

value	0.00361
scoring_system	epss
scoring_elements	0.58291
published_at	2026-04-18T12:55:00Z

value	0.00361
scoring_system	epss
scoring_elements	0.58289
published_at	2026-04-16T12:55:00Z

value	0.00361
scoring_system	epss
scoring_elements	0.58257
published_at	2026-04-13T12:55:00Z

value	0.00361
scoring_system	epss
scoring_elements	0.583
published_at	2026-04-11T12:55:00Z

value	0.00361
scoring_system	epss
scoring_elements	0.58282
published_at	2026-04-09T12:55:00Z

value	0.00361
scoring_system	epss
scoring_elements	0.58277
published_at	2026-04-12T12:55:00Z

value	0.00361
scoring_system	epss
scoring_elements	0.58143
published_at	2026-04-01T12:55:00Z

value	0.00361
scoring_system	epss
scoring_elements	0.58228
published_at	2026-04-02T12:55:00Z

value	0.00361
scoring_system	epss
scoring_elements	0.58222
published_at	2026-04-07T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2015-7519

reference_url

https://blog.phusion.nl/2015/12/07/cve-2015-7519

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://blog.phusion.nl/2015/12/07/cve-2015-7519

reference_url

https://bugzilla.suse.com/show_bug.cgi?id=956281

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://bugzilla.suse.com/show_bug.cgi?id=956281

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7519
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7519

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	4.9
scoring_system	cvssv2
scoring_elements	AV:N/AC:M/Au:S/C:P/I:P/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/advisories/GHSA-fxwv-953p-7qpf

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/advisories/GHSA-fxwv-953p-7qpf

reference_url

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/phusion/passenger/commit/ddb8ecc4ebf260e4967f57f271d4f5761abeac3e

reference_url

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/phusion/passenger/commit/ddb8ecc4ebf260e4967f57f271d4f5761abeac3e

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2015-7519.yml

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2015-7519.yml

reference_url

https://lists.debian.org/debian-lts-announce/2018/06/msg00007.html

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2018/06/msg00007.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2015-7519

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv2
scoring_elements	AV:N/AC:M/Au:N/C:N/I:P/A:N

value	3.7
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2015-7519

reference_url	https://puppet.com/security/cve/passenger-dec-2015-security-fixes
reference_id
reference_type
scores
url	https://puppet.com/security/cve/passenger-dec-2015-security-fixes

reference_url

https://web.archive.org/web/20220327073056/https://www.puppet.com/security/cve/passenger-dec-2015-security-fixes

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://web.archive.org/web/20220327073056/https://www.puppet.com/security/cve/passenger-dec-2015-security-fixes

reference_url

http://www.openwall.com/lists/oss-security/2015/12/07/1

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2015/12/07/1

reference_url

http://www.openwall.com/lists/oss-security/2015/12/07/2

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2015/12/07/2

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1290405
reference_id	1290405
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1290405

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807354
reference_id	807354
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807354

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger::::::::
reference_id	cpe:2.3:a:phusionpassenger:phusion_passenger::::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger::::::::

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.0:::::::*
reference_id	cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.0:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.0:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.0:beta1::::::
reference_id	cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.0:beta1::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.0:beta1::::::

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.0:beta2::::::
reference_id	cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.0:beta2::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.0:beta2::::::

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.0:beta3::::::
reference_id	cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.0:beta3::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.0:beta3::::::

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.0:rc1::::::
reference_id	cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.0:rc1::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.0:rc1::::::

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.0:rc2::::::
reference_id	cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.0:rc2::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.0:rc2::::::

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.1:::::::*
reference_id	cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.1:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.1:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.10:::::::*
reference_id	cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.10:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.10:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.11:::::::*
reference_id	cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.11:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.11:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.12:::::::*
reference_id	cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.12:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.12:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.13:::::::*
reference_id	cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.13:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.13:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.14:::::::*
reference_id	cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.14:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.14:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.15:::::::*
reference_id	cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.15:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.15:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.16:::::::*
reference_id	cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.16:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.16:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.17:::::::*
reference_id	cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.17:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.17:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.18:::::::*
reference_id	cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.18:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.18:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.19:::::::*
reference_id	cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.19:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.19:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.2:::::::*
reference_id	cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.2:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.2:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.20:::::::*
reference_id	cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.20:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.20:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.21:::::::*
reference_id	cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.21:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.21:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.3:::::::*
reference_id	cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.3:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.3:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.4:::::::*
reference_id	cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.4:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.4:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.5:::::::*
reference_id	cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.5:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.5:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.6:::::::*
reference_id	cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.6:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.6:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.7:::::::*
reference_id	cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.7:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.7:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.8:::::::*
reference_id	cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.8:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.8:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.9:::::::*
reference_id	cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.9:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.9:::::::*

reference_url

https://blog.phusion.nl/2015/12/07/cve-2015-7519/

reference_id

CVE-2015-7519

reference_type

scores

value	3.7
scoring_system	cvssv3
scoring_elements

url

https://blog.phusion.nl/2015/12/07/cve-2015-7519/

fixed_packages

url	pkg:deb/debian/passenger@5.0.22-1?distro=trixie
purl	pkg:deb/debian/passenger@5.0.22-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@5.0.22-1%3Fdistro=trixie

url pkg:deb/debian/passenger@5.0.30-1.2%2Bdeb11u1?distro=trixie

purl pkg:deb/debian/passenger@5.0.30-1.2%2Bdeb11u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-fhu6-3k8p-aub2

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@5.0.30-1.2%252Bdeb11u1%3Fdistro=trixie

url	pkg:deb/debian/passenger@6.0.17%2Bds-1?distro=trixie
purl	pkg:deb/debian/passenger@6.0.17%2Bds-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@6.0.17%252Bds-1%3Fdistro=trixie

url	pkg:deb/debian/passenger@6.0.26%2Bds-1.1?distro=trixie
purl	pkg:deb/debian/passenger@6.0.26%2Bds-1.1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@6.0.26%252Bds-1.1%3Fdistro=trixie

url	pkg:deb/debian/passenger@6.1.1%2Bds-1?distro=trixie
purl	pkg:deb/debian/passenger@6.1.1%2Bds-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@6.1.1%252Bds-1%3Fdistro=trixie

aliases CVE-2015-7519, GHSA-fxwv-953p-7qpf

risk_score 1.9

exploitability 0.5

weighted_severity 3.9

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ge31-t14g-e3bb

url VCID-gjey-tb5m-gygf

vulnerability_id VCID-gjey-tb5m-gygf

summary

Instance Directory Creation Symlink Arbitrary File Overwrite
Passenger Gem for Ruby contains a flaw as the program creates the server instance directory insecurely. It is possible for a local attacker to use a symlink attack against the directory to cause the program to unexpectedly overwrite an arbitrary file.

references

reference_url

http://lists.fedoraproject.org/pipermail/package-announce/2015-February/149032.html

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

http://lists.fedoraproject.org/pipermail/package-announce/2015-February/149032.html

reference_url

http://openwall.com/lists/oss-security/2014/01/28/8

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

http://openwall.com/lists/oss-security/2014/01/28/8

reference_url

http://openwall.com/lists/oss-security/2014/01/30/3

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

http://openwall.com/lists/oss-security/2014/01/30/3

reference_url	http://osvdb.org/show/osvdb/102613
reference_id
reference_type
scores
url	http://osvdb.org/show/osvdb/102613

reference_url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-1831.json
reference_id
reference_type
scores
url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-1831.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2014-1831

reference_id

reference_type

scores

value	0.00067
scoring_system	epss
scoring_elements	0.20659
published_at	2026-04-21T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20626
published_at	2026-04-07T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20702
published_at	2026-04-08T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20763
published_at	2026-04-09T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20781
published_at	2026-04-11T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20738
published_at	2026-04-12T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20686
published_at	2026-04-13T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20672
published_at	2026-04-16T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20668
published_at	2026-04-18T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20711
published_at	2026-04-01T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20854
published_at	2026-04-02T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20912
published_at	2026-04-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2014-1831

reference_url

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736958

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736958

reference_url

https://bugzilla.redhat.com/show_bug.cgi?id=1058992

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://bugzilla.redhat.com/show_bug.cgi?id=1058992

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1831
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1831

reference_url

https://github.com/advisories/GHSA-c7j7-p5jq-26ff

reference_id

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/advisories/GHSA-c7j7-p5jq-26ff

reference_url

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/phusion/passenger/commit/34b1087870c2

reference_url

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/phusion/passenger/commit/34b1087870c2

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2014-1831.yml

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2014-1831.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2014-1831

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2014-1831

fixed_packages

url	pkg:deb/debian/passenger@4.0.37-1?distro=trixie
purl	pkg:deb/debian/passenger@4.0.37-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@4.0.37-1%3Fdistro=trixie

url pkg:deb/debian/passenger@5.0.30-1.2%2Bdeb11u1?distro=trixie

purl pkg:deb/debian/passenger@5.0.30-1.2%2Bdeb11u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-fhu6-3k8p-aub2

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@5.0.30-1.2%252Bdeb11u1%3Fdistro=trixie

url	pkg:deb/debian/passenger@6.0.17%2Bds-1?distro=trixie
purl	pkg:deb/debian/passenger@6.0.17%2Bds-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@6.0.17%252Bds-1%3Fdistro=trixie

url	pkg:deb/debian/passenger@6.0.26%2Bds-1.1?distro=trixie
purl	pkg:deb/debian/passenger@6.0.26%2Bds-1.1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@6.0.26%252Bds-1.1%3Fdistro=trixie

url	pkg:deb/debian/passenger@6.1.1%2Bds-1?distro=trixie
purl	pkg:deb/debian/passenger@6.1.1%2Bds-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@6.1.1%252Bds-1%3Fdistro=trixie

aliases CVE-2014-1831, GHSA-c7j7-p5jq-26ff

risk_score 1.4

exploitability 0.5

weighted_severity 2.7

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gjey-tb5m-gygf

url VCID-nxqg-9ste-cycv

vulnerability_id VCID-nxqg-9ste-cycv

summary

Server Instance Directory Creation Local Symlink File Overwrite
This package contains a flaw as the program creates the server instance directory insecurely. It is possible for a local attacker to use a symlink attack against the directory to cause the program to unexpectedly overwrite an arbitrary file.

references

reference_url

http://lists.fedoraproject.org/pipermail/package-announce/2015-February/149032.html

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

http://lists.fedoraproject.org/pipermail/package-announce/2015-February/149032.html

reference_url

http://openwall.com/lists/oss-security/2014/01/29/6

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

http://openwall.com/lists/oss-security/2014/01/29/6

reference_url

http://openwall.com/lists/oss-security/2014/01/30/3

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

http://openwall.com/lists/oss-security/2014/01/30/3

reference_url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-1832.json
reference_id
reference_type
scores
url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-1832.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2014-1832

reference_id

reference_type

scores

value	0.00067
scoring_system	epss
scoring_elements	0.20659
published_at	2026-04-21T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20626
published_at	2026-04-07T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20702
published_at	2026-04-08T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20763
published_at	2026-04-09T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20781
published_at	2026-04-11T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20738
published_at	2026-04-12T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20686
published_at	2026-04-13T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20672
published_at	2026-04-16T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20668
published_at	2026-04-18T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20711
published_at	2026-04-01T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20854
published_at	2026-04-02T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20912
published_at	2026-04-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2014-1832

reference_url

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736958

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736958

reference_url

https://bugzilla.redhat.com/show_bug.cgi?id=1058992

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://bugzilla.redhat.com/show_bug.cgi?id=1058992

reference_url

https://github.com/advisories/GHSA-qw8w-2xcp-xg59

reference_id

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/advisories/GHSA-qw8w-2xcp-xg59

reference_url

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/phusion/passenger/commit/94428057c602da3d6d34ef75c78091066ecac5c0

reference_url	https://github.com/phusion/passenger/commit/34b1087870c2bf85ebfd72c30b78577e10ab9744
reference_id
reference_type
scores
url	https://github.com/phusion/passenger/commit/34b1087870c2bf85ebfd72c30b78577e10ab9744

reference_url

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/phusion/passenger/commit/94428057c602da3d6d34ef75c78091066ecac5c0

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2014-1832.yml

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2014-1832.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2014-1832

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2014-1832

fixed_packages

url	pkg:deb/debian/passenger@0?distro=trixie
purl	pkg:deb/debian/passenger@0?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@0%3Fdistro=trixie

url pkg:deb/debian/passenger@5.0.30-1.2%2Bdeb11u1?distro=trixie

purl pkg:deb/debian/passenger@5.0.30-1.2%2Bdeb11u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-fhu6-3k8p-aub2

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@5.0.30-1.2%252Bdeb11u1%3Fdistro=trixie

url	pkg:deb/debian/passenger@6.0.17%2Bds-1?distro=trixie
purl	pkg:deb/debian/passenger@6.0.17%2Bds-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@6.0.17%252Bds-1%3Fdistro=trixie

url	pkg:deb/debian/passenger@6.0.26%2Bds-1.1?distro=trixie
purl	pkg:deb/debian/passenger@6.0.26%2Bds-1.1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@6.0.26%252Bds-1.1%3Fdistro=trixie

url	pkg:deb/debian/passenger@6.1.1%2Bds-1?distro=trixie
purl	pkg:deb/debian/passenger@6.1.1%2Bds-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@6.1.1%252Bds-1%3Fdistro=trixie

aliases CVE-2014-1832, GHSA-qw8w-2xcp-xg59, OSV-102613

risk_score 1.4

exploitability 0.5

weighted_severity 2.7

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nxqg-9ste-cycv

url VCID-tekr-xkck-pkfu

vulnerability_id VCID-tekr-xkck-pkfu

summary

Multiple vulnerabilities in Asterisk might allow remote attackers to cause
    a Denial of Service condition, or conduct other attacks.

references

reference_url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2008-7220.json
reference_id
reference_type
scores
url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2008-7220.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2008-7220

reference_id

reference_type

scores

value	0.10024
scoring_system	epss
scoring_elements	0.93033
published_at	2026-04-01T12:55:00Z

value	0.10024
scoring_system	epss
scoring_elements	0.93041
published_at	2026-04-02T12:55:00Z

value	0.10024
scoring_system	epss
scoring_elements	0.93045
published_at	2026-04-07T12:55:00Z

value	0.10024
scoring_system	epss
scoring_elements	0.93053
published_at	2026-04-08T12:55:00Z

value	0.10024
scoring_system	epss
scoring_elements	0.93058
published_at	2026-04-09T12:55:00Z

value	0.10024
scoring_system	epss
scoring_elements	0.93063
published_at	2026-04-11T12:55:00Z

value	0.10024
scoring_system	epss
scoring_elements	0.9306
published_at	2026-04-12T12:55:00Z

value	0.10024
scoring_system	epss
scoring_elements	0.93062
published_at	2026-04-13T12:55:00Z

value	0.10024
scoring_system	epss
scoring_elements	0.93073
published_at	2026-04-16T12:55:00Z

value	0.10024
scoring_system	epss
scoring_elements	0.93076
published_at	2026-04-18T12:55:00Z

value	0.10024
scoring_system	epss
scoring_elements	0.93082
published_at	2026-04-21T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2008-7220

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=523277
reference_id	523277
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=523277

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555220
reference_id	555220
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555220

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555221
reference_id	555221
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555221

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555242
reference_id	555242
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555242

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555244
reference_id	555244
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555244

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555250
reference_id	555250
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555250

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555255
reference_id	555255
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555255

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555259
reference_id	555259
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555259

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555266
reference_id	555266
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555266

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=558977
reference_id	558977
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=558977

reference_url	https://security.gentoo.org/glsa/201006-20
reference_id	GLSA-201006-20
reference_type
scores
url	https://security.gentoo.org/glsa/201006-20

fixed_packages

url	pkg:deb/debian/passenger@0?distro=trixie
purl	pkg:deb/debian/passenger@0?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@0%3Fdistro=trixie

url pkg:deb/debian/passenger@5.0.30-1.2%2Bdeb11u1?distro=trixie

purl pkg:deb/debian/passenger@5.0.30-1.2%2Bdeb11u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-fhu6-3k8p-aub2

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@5.0.30-1.2%252Bdeb11u1%3Fdistro=trixie

url	pkg:deb/debian/passenger@6.0.17%2Bds-1?distro=trixie
purl	pkg:deb/debian/passenger@6.0.17%2Bds-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@6.0.17%252Bds-1%3Fdistro=trixie

url	pkg:deb/debian/passenger@6.0.26%2Bds-1.1?distro=trixie
purl	pkg:deb/debian/passenger@6.0.26%2Bds-1.1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@6.0.26%252Bds-1.1%3Fdistro=trixie

url	pkg:deb/debian/passenger@6.1.1%2Bds-1?distro=trixie
purl	pkg:deb/debian/passenger@6.1.1%2Bds-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@6.1.1%252Bds-1%3Fdistro=trixie

aliases CVE-2008-7220

risk_score 0.1

exploitability 0.5

weighted_severity 0.1

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tekr-xkck-pkfu

url VCID-xn3j-fysa-ybga

vulnerability_id VCID-xn3j-fysa-ybga

summary

Incorrect Permission Assignment for Critical Resource
An Incorrect Access Control vulnerability in SpawningKit in Phusion Passenger allows a Passenger-managed malicious application, upon spawning a child process, to report an arbitrary different PID back to Passenger's process manager. If the malicious application then generates an error, it would cause Passenger's process manager to kill said reported arbitrary PID.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-12028.json

reference_id

reference_type

scores

value	4.7
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-12028.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2018-12028

reference_id

reference_type

scores

value	0.00175
scoring_system	epss
scoring_elements	0.38988
published_at	2026-04-21T12:55:00Z

value	0.00175
scoring_system	epss
scoring_elements	0.38897
published_at	2026-04-01T12:55:00Z

value	0.00175
scoring_system	epss
scoring_elements	0.39085
published_at	2026-04-02T12:55:00Z

value	0.00175
scoring_system	epss
scoring_elements	0.39105
published_at	2026-04-16T12:55:00Z

value	0.00175
scoring_system	epss
scoring_elements	0.39023
published_at	2026-04-07T12:55:00Z

value	0.00175
scoring_system	epss
scoring_elements	0.39079
published_at	2026-04-08T12:55:00Z

value	0.00175
scoring_system	epss
scoring_elements	0.39094
published_at	2026-04-09T12:55:00Z

value	0.00175
scoring_system	epss
scoring_elements	0.39106
published_at	2026-04-11T12:55:00Z

value	0.00175
scoring_system	epss
scoring_elements	0.39069
published_at	2026-04-12T12:55:00Z

value	0.00175
scoring_system	epss
scoring_elements	0.39049
published_at	2026-04-13T12:55:00Z

value	0.00175
scoring_system	epss
scoring_elements	0.39075
published_at	2026-04-18T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2018-12028

reference_url

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3
scoring_elements

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

reference_url

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/phusion/passenger/commit/1e7c82deb4901c438f583737d8c9f2aac264737c

reference_url

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/phusion/passenger/commit/1e7c82deb4901c438f583737d8c9f2aac264737c

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2018-12028.yml

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2018-12028.yml

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1592621
reference_id	1592621
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1592621

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusion:passenger::::::::
reference_id	cpe:2.3:a:phusion:passenger::::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusion:passenger::::::::

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2018-12028

reference_id

CVE-2018-12028

reference_type

scores

value	6.8
scoring_system	cvssv2
scoring_elements	AV:N/AC:M/Au:N/C:P/I:P/A:P

value	7.8
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2018-12028

reference_url

https://github.com/advisories/GHSA-jjhj-8gx7-x836

reference_id

GHSA-jjhj-8gx7-x836

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-jjhj-8gx7-x836

reference_url

reference_id

GLSA-201807-02

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-12615.json

fixed_packages

url	pkg:deb/debian/passenger@0?distro=trixie
purl	pkg:deb/debian/passenger@0?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@0%3Fdistro=trixie

url pkg:deb/debian/passenger@5.0.30-1.2%2Bdeb11u1?distro=trixie

purl pkg:deb/debian/passenger@5.0.30-1.2%2Bdeb11u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-fhu6-3k8p-aub2

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@5.0.30-1.2%252Bdeb11u1%3Fdistro=trixie

url	pkg:deb/debian/passenger@6.0.17%2Bds-1?distro=trixie
purl	pkg:deb/debian/passenger@6.0.17%2Bds-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@6.0.17%252Bds-1%3Fdistro=trixie

url	pkg:deb/debian/passenger@6.0.26%2Bds-1.1?distro=trixie
purl	pkg:deb/debian/passenger@6.0.26%2Bds-1.1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@6.0.26%252Bds-1.1%3Fdistro=trixie

url	pkg:deb/debian/passenger@6.1.1%2Bds-1?distro=trixie
purl	pkg:deb/debian/passenger@6.1.1%2Bds-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@6.1.1%252Bds-1%3Fdistro=trixie

aliases CVE-2018-12028, GHSA-jjhj-8gx7-x836

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xn3j-fysa-ybga

url VCID-z5g4-xxf6-vbbh

vulnerability_id VCID-z5g4-xxf6-vbbh

summary

Incorrect Permission Assignment for Critical Resource
An issue was discovered in Phusion Passenger. The set of groups (gidset) is not set correctly, leaving it up to randomness (i.e., uninitialized memory) which supplementary groups are actually being set while lowering privileges.

references

reference_url

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-12615.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2018-12615

reference_id

reference_type

scores

value	0.00198
scoring_system	epss
scoring_elements	0.41833
published_at	2026-04-21T12:55:00Z

value	0.00198
scoring_system	epss
scoring_elements	0.41905
published_at	2026-04-18T12:55:00Z

value	0.00198
scoring_system	epss
scoring_elements	0.41932
published_at	2026-04-16T12:55:00Z

value	0.00198
scoring_system	epss
scoring_elements	0.41882
published_at	2026-04-13T12:55:00Z

value	0.00198
scoring_system	epss
scoring_elements	0.41894
published_at	2026-04-12T12:55:00Z

value	0.00198
scoring_system	epss
scoring_elements	0.4193
published_at	2026-04-11T12:55:00Z

value	0.00198
scoring_system	epss
scoring_elements	0.41918
published_at	2026-04-04T12:55:00Z

value	0.00198
scoring_system	epss
scoring_elements	0.41846
published_at	2026-04-07T12:55:00Z

value	0.00198
scoring_system	epss
scoring_elements	0.4189
published_at	2026-04-02T12:55:00Z

value	0.00198
scoring_system	epss
scoring_elements	0.41906
published_at	2026-04-09T12:55:00Z

value	0.00198
scoring_system	epss
scoring_elements	0.41825
published_at	2026-04-01T12:55:00Z

value	0.00198
scoring_system	epss
scoring_elements	0.41895
published_at	2026-04-08T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2018-12615

reference_url

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/phusion/passenger/commit/4e97fdb86d0a0141ec9a052c6e691fcd07bb45c8

reference_url

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/phusion/passenger/commit/4e97fdb86d0a0141ec9a052c6e691fcd07bb45c8

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2018-12615.yml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2018-12615.yml

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1594361
reference_id	1594361
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1594361

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusion:passenger::::::::
reference_id	cpe:2.3:a:phusion:passenger::::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phusion:passenger::::::::

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2018-12615

reference_id

CVE-2018-12615

reference_type

scores

value	5.0
scoring_system	cvssv2
scoring_elements	AV:N/AC:L/Au:N/C:N/I:P/A:N

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2018-12615

reference_url

https://github.com/advisories/GHSA-4284-jfhc-f854

reference_id

GHSA-4284-jfhc-f854

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-4284-jfhc-f854

fixed_packages

url	pkg:deb/debian/passenger@0?distro=trixie
purl	pkg:deb/debian/passenger@0?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@0%3Fdistro=trixie

url pkg:deb/debian/passenger@5.0.30-1.2%2Bdeb11u1?distro=trixie

purl pkg:deb/debian/passenger@5.0.30-1.2%2Bdeb11u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-fhu6-3k8p-aub2

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@5.0.30-1.2%252Bdeb11u1%3Fdistro=trixie

url	pkg:deb/debian/passenger@6.0.17%2Bds-1?distro=trixie
purl	pkg:deb/debian/passenger@6.0.17%2Bds-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@6.0.17%252Bds-1%3Fdistro=trixie

url	pkg:deb/debian/passenger@6.0.26%2Bds-1.1?distro=trixie
purl	pkg:deb/debian/passenger@6.0.26%2Bds-1.1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@6.0.26%252Bds-1.1%3Fdistro=trixie

url	pkg:deb/debian/passenger@6.1.1%2Bds-1?distro=trixie
purl	pkg:deb/debian/passenger@6.1.1%2Bds-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/passenger@6.1.1%252Bds-1%3Fdistro=trixie

aliases CVE-2018-12615, GHSA-4284-jfhc-f854

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-z5g4-xxf6-vbbh

url VCID-zwgu-5146-t7h5

vulnerability_id VCID-zwgu-5146-t7h5

summary

Information Exposure
If Passenger is running as root, it is possible to list the contents of arbitrary files on a system by symlinking a file named REVISION from the application root folder to a file of choice and querying `passenger-status --show=xml`.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-16355.json

reference_id

reference_type

scores

value	4.7
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-16355.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2017-16355

reference_id

reference_type

scores

value	0.00136
scoring_system	epss
scoring_elements	0.33299
published_at	2026-04-21T12:55:00Z

value	0.00136
scoring_system	epss
scoring_elements	0.33333
published_at	2026-04-18T12:55:00Z

value	0.00136
scoring_system	epss
scoring_elements	0.33357
published_at	2026-04-16T12:55:00Z

value	0.00136
scoring_system	epss
scoring_elements	0.33318
published_at	2026-04-13T12:55:00Z

value	0.00136
scoring_system	epss
scoring_elements	0.33297
published_at	2026-04-01T12:55:00Z

value	0.00136
scoring_system	epss
scoring_elements	0.33346
published_at	2026-04-08T12:55:00Z

value	0.00136
scoring_system	epss
scoring_elements	0.33302
published_at	2026-04-07T12:55:00Z

value	0.00136
scoring_system	epss
scoring_elements	0.33464
published_at	2026-04-04T12:55:00Z

value	0.00136
scoring_system	epss
scoring_elements	0.33432
published_at	2026-04-02T12:55:00Z

value	0.00136
scoring_system	epss
scoring_elements	0.33341
published_at	2026-04-12T12:55:00Z

value	0.00136
scoring_system	epss
scoring_elements	0.33382
published_at	2026-04-11T12:55:00Z

value	0.00136
scoring_system	epss
scoring_elements	0.33379
published_at	2026-04-09T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2017-16355

reference_url

https://blog.phusion.nl/2017/10/13/passenger-security-advisory-5-1-11

reference_id

reference_type

scores

value	4.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://blog.phusion.nl/2017/10/13/passenger-security-advisory-5-1-11

reference_url	https://blog.phusion.nl/2017/10/13/passenger-security-advisory-5-1-11/
reference_id
reference_type
scores
url	https://blog.phusion.nl/2017/10/13/passenger-security-advisory-5-1-11/

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16355
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16355

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	4
scoring_system	cvssv2
scoring_elements	AV:L/AC:H/Au:N/C:C/I:N/A:N

value	5.1
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	4.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url