UNIX Symbolic Link (Symlink) Following

CVE-2014-1831

Low

0/10

Summary

Phusion Passenger before 4.0.37 allows local users to write to certain files and directories via a symlink attack on "control_process.pid" or a "generation-*" file.

Access Complexity: LOW
AccessVector: LOCAL
Authentication: NONE
Integrity Impact: PARTIAL
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-61 - UNIX Symbolic Link (Symlink) Following

The software, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files.

References

Issue
Mail Thread
Advisory

Advisory Timeline

Published Feb 19, 2015

UNIX Symbolic Link (Symlink) Following

CVE-2014-1831

Summary

CWE-61 - UNIX Symbolic Link (Symlink) Following

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS