Platform
ruby
Component
passenger
Fixed in
4.0.38
CVE-2014-1832 describes a symlink vulnerability affecting Phusion Passenger versions up to 4.0.37. A malicious local user can exploit this flaw to write to sensitive files and directories by manipulating symbolic links. This vulnerability stems from an incomplete fix addressing CVE-2014-1831. The issue is resolved in version 4.0.38.
Successful exploitation of CVE-2014-1832 allows a local attacker to gain write access to files and directories they would not normally have access to. This could lead to the modification of configuration files, the injection of malicious code, or the compromise of sensitive data stored within those files. The impact is limited to the local machine where Passenger is running, preventing widespread network compromise. However, depending on the permissions of the targeted files, the attacker could potentially escalate privileges or gain control over the web application itself.
CVE-2014-1832 is not currently tracked on KEV or EPSS. The CVSS score of 2.5 indicates a low probability of exploitation. Public proof-of-concept exploits are not widely available, suggesting limited active exploitation. This vulnerability was published in 2018, and its low severity and lack of public exploits suggest it is not a high-priority threat.
Exploit Status
EPSS
0.07% (21% percentile)
The primary mitigation for CVE-2014-1832 is to upgrade Phusion Passenger to version 4.0.38 or later. If an immediate upgrade is not feasible, consider restricting write access to the control_process.pid and generation-* files to the Passenger user. Implement strict file permissions and regularly audit the file system for unexpected symbolic links. While not a direct fix, employing a security scanner that detects anomalous file permissions can help identify potential exploitation paths.
No official patch available. Check for workarounds or monitor for updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2014-1832 is a vulnerability in Phusion Passenger versions up to 4.0.37 that allows a local attacker to write to arbitrary files via symlink manipulation. It's a LOW severity issue stemming from an incomplete fix for a previous vulnerability.
You are affected if you are running Phusion Passenger version 4.0.37 or earlier. Check your Passenger version using pw -v to determine if you are vulnerable.
Upgrade Phusion Passenger to version 4.0.38 or later. If an upgrade is not immediately possible, restrict write access to the control_process.pid and generation-* files.
There is no widespread evidence of active exploitation of CVE-2014-1832. Public proof-of-concept exploits are limited, and it is not currently tracked on KEV or EPSS.
Refer to the Phusion Passenger security advisory for details: https://www.phusionpassenger.com/news/security-updates/cve-2014-1832
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.