{"api_version":"1","generated_at":"2026-06-21T04:24:04+00:00","cve":"CVE-2018-12029","urls":{"html":"https://cve.report/CVE-2018-12029","api":"https://cve.report/api/cve/CVE-2018-12029.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-12029","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-12029"},"summary":{"title":"CVE-2018-12029","description":"A race condition in the nginx module in Phusion Passenger 3.x through 5.x before 5.3.2 allows local escalation of privileges when a non-standard passenger_instance_registry_dir with insufficiently strict permissions is configured. Replacing a file with a symlink after the file was created, but before it was chowned, leads to the target of the link being chowned via the path. Targeting sensitive files such as root's crontab file allows privilege escalation.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2018-06-17 20:29:00","updated_at":"2019-03-08 14:12:00"},"problem_types":["CWE-362"],"metrics":[],"references":[{"url":"https://blog.phusion.nl/passenger-5-3-2","name":"https://blog.phusion.nl/passenger-5-3-2","refsource":"MISC","tags":["Mitigation","Vendor Advisory"],"title":"Passenger 5.3.2: various security fixes","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://pulsesecurity.co.nz/advisories/phusion-passenger-priv-esc","name":"https://pulsesecurity.co.nz/advisories/phusion-passenger-priv-esc","refsource":"MISC","tags":["Third Party Advisory"],"title":"Phusion Passenger chown() race privilege escalation (CVE-2018-12029)","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/201807-02","name":"GLSA-201807-02","refsource":"GENTOO","tags":["Third Party Advisory"],"title":"Passenger: Multiple Vulnerabilities (GLSA 201807-02) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://lists.debian.org/debian-lts-announce/2018/06/msg00007.html","name":"[debian-lts-announce] 20180627 [SECURITY] [DLA 1399-1] ruby-passenger security update","refsource":"MLIST","tags":["Mailing List","Third Party Advisory"],"title":"[SECURITY] [DLA 1399-1] ruby-passenger security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-12029","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-12029","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"12029","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"12029","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"12029","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"phusion","cpe5":"passenger","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"12029","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"phusion","cpe5":"passenger","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2018-12029","qid":"710280","title":"Gentoo Linux Passenger Multiple Vulnerabilities (GLSA 201807-02)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2018-12029","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"A race condition in the nginx module in Phusion Passenger 3.x through 5.x before 5.3.2 allows local escalation of privileges when a non-standard passenger_instance_registry_dir with insufficiently strict permissions is configured. Replacing a file with a symlink after the file was created, but before it was chowned, leads to the target of the link being chowned via the path. Targeting sensitive files such as root's crontab file allows privilege escalation."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"https://blog.phusion.nl/passenger-5-3-2","refsource":"MISC","url":"https://blog.phusion.nl/passenger-5-3-2"},{"name":"GLSA-201807-02","refsource":"GENTOO","url":"https://security.gentoo.org/glsa/201807-02"},{"name":"https://pulsesecurity.co.nz/advisories/phusion-passenger-priv-esc","refsource":"MISC","url":"https://pulsesecurity.co.nz/advisories/phusion-passenger-priv-esc"},{"name":"[debian-lts-announce] 20180627 [SECURITY] [DLA 1399-1] ruby-passenger security update","refsource":"MLIST","url":"https://lists.debian.org/debian-lts-announce/2018/06/msg00007.html"}]}},"nvd":{"publishedDate":"2018-06-17 20:29:00","lastModifiedDate":"2019-03-08 14:12:00","problem_types":["CWE-362"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":7,"baseSeverity":"HIGH"},"exploitabilityScore":1,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:L/AC:M/Au:N/C:P/I:P/A:P","accessVector":"LOCAL","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":4.4},"severity":"MEDIUM","exploitabilityScore":3.4,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:phusion:passenger:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0.0","versionEndExcluding":"5.3.2","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"12029","Ordinal":"128541","Title":"CVE-2018-12029","CVE":"CVE-2018-12029","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"12029","Ordinal":"1","NoteData":"A race condition in the nginx module in Phusion Passenger 3.x through 5.x before 5.3.2 allows local escalation of privileges when a non-standard passenger_instance_registry_dir with insufficiently strict permissions is configured. Replacing a file with a symlink after the file was created, but before it was chowned, leads to the target of the link being chowned via the path. Targeting sensitive files such as root's crontab file allows privilege escalation.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"12029","Ordinal":"2","NoteData":"2018-06-17","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"12029","Ordinal":"3","NoteData":"2018-10-21","Type":"Other","Title":"Modified"}]}}}