Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-sd9j-zy5f-s3b9
Vulnerability ID VCID-sd9j-zy5f-s3b9
Aliases CVE-2016-10345
GHSA-cqxw-3p7v-p9gr
Summary Predictable tmp File Path Vulnerability A known /tmp filename is used during passenger-install-nginx-module execution, which can allow local attackers to gain the privileges of the passenger user.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-264 Permissions, Privileges, and Access Controls
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 5.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-10345.json
epss 0.00064 https://api.first.org/data/v1/epss?cve=CVE-2016-10345
epss 0.00064 https://api.first.org/data/v1/epss?cve=CVE-2016-10345
cvssv3.1 7.8 https://blog.phusion.nl/2017/01/10/passenger-5-1-1
generic_textual HIGH https://blog.phusion.nl/2017/01/10/passenger-5-1-1
cvssv3 7.8 https://blog.phusion.nl/2017/01/10/passenger-5-1-1/
cvssv2 6.8 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 7.8 https://github.com/advisories/GHSA-cqxw-3p7v-p9gr
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-cqxw-3p7v-p9gr
generic_textual HIGH https://github.com/advisories/GHSA-cqxw-3p7v-p9gr
cvssv3.1 7.8 https://github.com/phusion/passenger
generic_textual HIGH https://github.com/phusion/passenger
cvssv3.1 7.8 https://github.com/phusion/passenger/blob/stable-5.1/CHANGELOG
generic_textual HIGH https://github.com/phusion/passenger/blob/stable-5.1/CHANGELOG
cvssv3.1 7.8 https://github.com/phusion/passenger/commit/e5b4b0824d6b648525b4bf63d9fa37e5beeae441
generic_textual HIGH https://github.com/phusion/passenger/commit/e5b4b0824d6b648525b4bf63d9fa37e5beeae441
cvssv3.1 7.8 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2016-10345.yml
generic_textual HIGH https://github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2016-10345.yml
cvssv3.1 7.8 https://nvd.nist.gov/vuln/detail/CVE-2016-10345
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2016-10345
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-10345.json
https://api.first.org/data/v1/epss?cve=CVE-2016-10345
https://blog.phusion.nl/2017/01/10/passenger-5-1-1
https://blog.phusion.nl/2017/01/10/passenger-5-1-1/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10345
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/advisories/GHSA-cqxw-3p7v-p9gr
https://github.com/phusion/passenger
https://github.com/phusion/passenger/blob/stable-5.1/CHANGELOG
https://github.com/phusion/passenger/commit/e5b4b0824d6b648525b4bf63d9fa37e5beeae441
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2016-10345.yml
https://nvd.nist.gov/vuln/detail/CVE-2016-10345
1445306 https://bugzilla.redhat.com/show_bug.cgi?id=1445306
No exploits are available.
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-10345.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://blog.phusion.nl/2017/01/10/passenger-5-1-1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:L/AC:L/Au:S/C:C/I:C/A:C Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/advisories/GHSA-cqxw-3p7v-p9gr
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/phusion/passenger
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/phusion/passenger/blob/stable-5.1/CHANGELOG
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/phusion/passenger/commit/e5b4b0824d6b648525b4bf63d9fa37e5beeae441
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2016-10345.yml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2016-10345
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.20118
EPSS Score 0.00064
Published At June 4, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-02T04:36:51.484387+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/passenger/CVE-2016-10345.yml 38.6.0