Your submission was sent successfully! Close

CVE-2016-10345

Published: 18 April 2017

In Phusion Passenger before 5.1.0, a known /tmp filename was used during passenger-install-nginx-module execution, which could allow local attackers to gain the privileges of the passenger user.

Priority

Medium

CVSS 3 base score: 7.8

Status

Package Release Status
passenger
Launchpad, Ubuntu, Debian
artful Ignored
(reached end-of-life)
bionic Not vulnerable

cosmic Ignored
(reached end-of-life)
disco Ignored
(reached end-of-life)
eoan Ignored
(reached end-of-life)
focal Not vulnerable

groovy Ignored
(reached end-of-life)
hirsute Ignored
(reached end-of-life)
impish Not vulnerable

precise Does not exist
(precise was needed)
trusty Does not exist

upstream
Released (5.1.0)
xenial Not vulnerable

yakkety Ignored
(reached end-of-life)
zesty Ignored
(reached end-of-life)

Notes

AuthorNote
rodrigo-zaiden
the affected binary, passenger-install-nginx-module, is
not installed from Ubuntu package (as in Debian), so this
issue does not affect any Ubuntu releases.

References

Bugs