VulnerableCode Package Details - pkg:gem/passenger@5.0.0.rc2

Search for packages

Vulnerability	Summary	Fixed by
VCID-e99s-zs31-c3cn Aliases: CVE-2018-12029 GHSA-jjcj-fgfm-9g9r	Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition) A race condition in the nginx module in Phusion Passenger allows local escalation of privileges when a non-standard `passenger_instance_registry_dir` with insufficiently strict permissions is configured. Replacing a file with a symlink after the file was created, but before it was chowned, leads to the target of the link being chowned via the path. Targeting sensitive files such as root's crontab file allows privilege escalation.	5.3.2 Affected by 0 other vulnerabilities.
VCID-fhu6-3k8p-aub2 Aliases: CVE-2016-10345 GHSA-cqxw-3p7v-p9gr	Predictable tmp File Path Vulnerability A known /tmp filename is used during passenger-install-nginx-module execution, which can allow local attackers to gain the privileges of the passenger user.	5.1.0 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-ge31-t14g-e3bb Aliases: CVE-2015-7519 GHSA-fxwv-953p-7qpf	Header overwriting It is possible in some cases, for clients to overwrite headers set by the server, resulting in a medium level security issue. Passenger 5 uses an SCGI-inspired format to pass headers to Ruby/Python applications, while Passenger 4 uses an SCGI-inspired format to pass headers to all applications. This implies a conversion to UPPER_CASE_WITH_UNDERSCORES whereby the difference between characters like '-' and '_' is lost. See "Affected use-cases" in provided link to establish wether one particular application is affected.	5.0.22 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-z5g4-xxf6-vbbh Aliases: CVE-2018-12615 GHSA-4284-jfhc-f854	Incorrect Permission Assignment for Critical Resource An issue was discovered in Phusion Passenger. The set of groups (gidset) is not set correctly, leaving it up to randomness (i.e., uninitialized memory) which supplementary groups are actually being set while lowering privileges.	5.3.2 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-e99s-zs31-c3cn
Aliases:
CVE-2018-12029
GHSA-jjcj-fgfm-9g9r

Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition) A race condition in the nginx module in Phusion Passenger allows local escalation of privileges when a non-standard `passenger_instance_registry_dir` with insufficiently strict permissions is configured. Replacing a file with a symlink after the file was created, but before it was chowned, leads to the target of the link being chowned via the path. Targeting sensitive files such as root's crontab file allows privilege escalation.

5.3.2
Affected by 0 other vulnerabilities.

VCID-fhu6-3k8p-aub2
Aliases:
CVE-2016-10345
GHSA-cqxw-3p7v-p9gr

Predictable tmp File Path Vulnerability A known /tmp filename is used during passenger-install-nginx-module execution, which can allow local attackers to gain the privileges of the passenger user.

5.1.0
Affected by 3 other vulnerabilities.

VCID-ge31-t14g-e3bb
Aliases:
CVE-2015-7519
GHSA-fxwv-953p-7qpf

Header overwriting It is possible in some cases, for clients to overwrite headers set by the server, resulting in a medium level security issue. Passenger 5 uses an SCGI-inspired format to pass headers to Ruby/Python applications, while Passenger 4 uses an SCGI-inspired format to pass headers to all applications. This implies a conversion to UPPER_CASE_WITH_UNDERSCORES whereby the difference between characters like '-' and '_' is lost. See "Affected use-cases" in provided link to establish wether one particular application is affected.

5.0.22
Affected by 4 other vulnerabilities.

VCID-z5g4-xxf6-vbbh
Aliases:
CVE-2018-12615
GHSA-4284-jfhc-f854

Incorrect Permission Assignment for Critical Resource An issue was discovered in Phusion Passenger. The set of groups (gidset) is not set correctly, leaving it up to randomness (i.e., uninitialized memory) which supplementary groups are actually being set while lowering privileges.

5.3.2
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T20:45:37.370346+00:00	GitLab Importer	Affected by	VCID-z5g4-xxf6-vbbh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/passenger/CVE-2018-12615.yml	38.4.0
2026-04-16T20:45:35.052792+00:00	GitLab Importer	Affected by	VCID-e99s-zs31-c3cn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/passenger/CVE-2018-12029.yml	38.4.0
2026-04-16T20:36:42.011322+00:00	GitLab Importer	Affected by	VCID-fhu6-3k8p-aub2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/passenger/CVE-2016-10345.yml	38.4.0
2026-04-16T20:33:18.683967+00:00	GitLab Importer	Affected by	VCID-ge31-t14g-e3bb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/passenger/CVE-2015-7519.yml	38.4.0
2026-04-16T17:36:12.018840+00:00	Ruby Importer	Affected by	VCID-ge31-t14g-e3bb	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2015-7519.yml	38.4.0
2026-04-16T01:22:27.127934+00:00	GHSA Importer	Affected by	VCID-fhu6-3k8p-aub2	https://github.com/advisories/GHSA-cqxw-3p7v-p9gr	38.4.0
2026-04-11T21:56:24.889634+00:00	GitLab Importer	Affected by	VCID-z5g4-xxf6-vbbh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/passenger/CVE-2018-12615.yml	38.3.0
2026-04-11T21:56:22.282582+00:00	GitLab Importer	Affected by	VCID-e99s-zs31-c3cn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/passenger/CVE-2018-12029.yml	38.3.0
2026-04-11T21:47:15.286155+00:00	GitLab Importer	Affected by	VCID-fhu6-3k8p-aub2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/passenger/CVE-2016-10345.yml	38.3.0
2026-04-11T21:43:43.170894+00:00	GitLab Importer	Affected by	VCID-ge31-t14g-e3bb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/passenger/CVE-2015-7519.yml	38.3.0
2026-04-11T21:33:00.553063+00:00	Ruby Importer	Affected by	VCID-ge31-t14g-e3bb	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2015-7519.yml	38.3.0
2026-04-11T12:51:38.637470+00:00	GHSA Importer	Affected by	VCID-fhu6-3k8p-aub2	https://github.com/advisories/GHSA-cqxw-3p7v-p9gr	38.3.0
2026-04-02T22:09:48.003919+00:00	GitLab Importer	Affected by	VCID-z5g4-xxf6-vbbh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/passenger/CVE-2018-12615.yml	38.1.0
2026-04-02T22:09:45.706470+00:00	GitLab Importer	Affected by	VCID-e99s-zs31-c3cn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/passenger/CVE-2018-12029.yml	38.1.0
2026-04-02T22:01:14.191738+00:00	GitLab Importer	Affected by	VCID-fhu6-3k8p-aub2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/passenger/CVE-2016-10345.yml	38.1.0
2026-04-02T21:57:50.148845+00:00	GitLab Importer	Affected by	VCID-ge31-t14g-e3bb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/passenger/CVE-2015-7519.yml	38.1.0
2026-04-02T19:31:29.406336+00:00	Ruby Importer	Affected by	VCID-ge31-t14g-e3bb	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2015-7519.yml	38.1.0
2026-04-02T13:44:50.371322+00:00	GHSA Importer	Affected by	VCID-fhu6-3k8p-aub2	https://github.com/advisories/GHSA-cqxw-3p7v-p9gr	38.1.0
2026-04-01T16:27:05.064476+00:00	GitLab Importer	Affected by	VCID-z5g4-xxf6-vbbh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/passenger/CVE-2018-12615.yml	38.0.0
2026-04-01T16:27:03.061752+00:00	GitLab Importer	Affected by	VCID-e99s-zs31-c3cn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/passenger/CVE-2018-12029.yml	38.0.0
2026-04-01T16:18:25.129289+00:00	GitLab Importer	Affected by	VCID-fhu6-3k8p-aub2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/passenger/CVE-2016-10345.yml	38.0.0
2026-04-01T16:15:03.470649+00:00	GitLab Importer	Affected by	VCID-ge31-t14g-e3bb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/passenger/CVE-2015-7519.yml	38.0.0
2026-04-01T15:48:18.924035+00:00	Ruby Importer	Affected by	VCID-ge31-t14g-e3bb	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2015-7519.yml	38.0.0