Miggo Logo

CVE-2016-10345: Phusion Passenger uses a known /tmp filename

7.8

CVSS Score
3.0

Basic Information

EPSS Score
0.20263%
CWE
-
Published
8/21/2018
Updated
6/9/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
passengerrubygems< 5.1.05.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from using hardcoded /tmp/passenger-check.c filename in the PCRE check logic. The GitHub commit e5b4b082 shows the fix replaced this with Dir.mktmpdir to create unique temporary paths. The pcre_is_installed? function was directly handling this insecure file creation, making it the clear vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In P*usion P*ss*n**r ***or* *.*.*, * known /tmp *il*n*m* w*s us** *urin* p*ss*n**r-inst*ll-n*inx-mo*ul* *x**ution, w*i** *oul* *llow lo**l *tt**k*rs to **in t** privil***s o* t** p*ss*n**r us*r

Reasoning

T** vuln*r**ility st*ms *rom usin* **r**o*** /tmp/p*ss*n**r-****k.* *il*n*m* in t** P*R* ****k lo*i*. T** *it*u* *ommit ******** s*ows t** *ix r*pl**** t*is wit* *ir.mktmp*ir to *r**t* uniqu* t*mpor*ry p*t*s. T** p*r*_is_inst*ll**? *un*tion w*s *ir**