{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"moderate"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2023 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2018-12615","title":"Title"},{"category":"description","text":"An issue was discovered in switchGroup() in agent/ExecHelper/ExecHelperMain.cpp in Phusion Passenger before 5.3.2. The set of groups (gidset) is not set correctly, leaving it up to randomness (i.e., uninitialized memory) which supplementary groups are actually being set while lowering privileges.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2018-12615","url":"https://www.suse.com/security/cve/CVE-2018-12615"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1098872 for CVE-2018-12615","url":"https://bugzilla.suse.com/1098872"}],"title":"SUSE CVE CVE-2018-12615","tracking":{"current_release_date":"2023-02-15T04:26:20Z","generator":{"date":"2023-02-15T04:26:20Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2018-12615","initial_release_date":"2023-02-15T04:26:20Z","revision_history":[{"date":"2023-02-15T04:26:20Z","number":"2","summary":"Current version"}],"status":"interim","version":"2"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"SUSE Lifecycle Management Server 1.3","product":{"name":"SUSE Lifecycle Management Server 1.3","product_id":"SUSE Lifecycle Management Server 1.3","product_identification_helper":{"cpe":"cpe:/a:suse:sle-slms:1.3"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Containers 12","product":{"name":"SUSE Linux Enterprise Module for Containers 12","product_id":"SUSE Linux Enterprise Module for Containers 12","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-containers:12"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Containers 12","product":{"name":"SUSE Linux Enterprise Module for Containers 12","product_id":"SUSE Linux Enterprise Module for Containers 12","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-containers:12"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Containers 12","product":{"name":"SUSE Linux Enterprise Module for Containers 12","product_id":"SUSE Linux Enterprise Module for Containers 12","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-containers:12"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Containers 12","product":{"name":"SUSE Linux Enterprise Module for Containers 12","product_id":"SUSE Linux Enterprise Module for Containers 12","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-containers:12"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Containers 12","product":{"name":"SUSE Linux Enterprise Module for Containers 12","product_id":"SUSE Linux Enterprise Module for Containers 12","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-containers:12"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Containers 12","product":{"name":"SUSE Linux Enterprise Module for Containers 12","product_id":"SUSE Linux Enterprise Module for Containers 12","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-containers:12"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Containers 12","product":{"name":"SUSE Linux Enterprise Module for Containers 12","product_id":"SUSE Linux Enterprise Module for Containers 12","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-containers:12"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Containers 12","product":{"name":"SUSE Linux Enterprise Module for Containers 12","product_id":"SUSE Linux Enterprise Module for Containers 12","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-containers:12"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Containers 12","product":{"name":"SUSE Linux Enterprise Module for Containers 12","product_id":"SUSE Linux Enterprise Module for Containers 12","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-containers:12"}}},{"category":"product_name","name":"SUSE Studio Onsite 1.3","product":{"name":"SUSE Studio Onsite 1.3","product_id":"SUSE Studio Onsite 1.3","product_identification_helper":{"cpe":"cpe:/o:suse:sle-studioonsite:1.3"}}},{"category":"product_version","name":"ruby2.1-rubygem-passenger","product":{"name":"ruby2.1-rubygem-passenger","product_id":"ruby2.1-rubygem-passenger","product_identification_helper":{"cpe":"cpe:2.3:a:ruby-lang:ruby:rubygem:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"rubygem-passenger","product":{"name":"rubygem-passenger","product_id":"rubygem-passenger","product_identification_helper":{"cpe":"cpe:2.3:a:phusion:passenger:*:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"rubygem-passenger-apache2","product":{"name":"rubygem-passenger-apache2","product_id":"rubygem-passenger-apache2"}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"rubygem-passenger as component of SUSE Lifecycle Management Server 1.3","product_id":"SUSE Lifecycle Management Server 1.3:rubygem-passenger"},"product_reference":"rubygem-passenger","relates_to_product_reference":"SUSE Lifecycle Management Server 1.3"},{"category":"default_component_of","full_product_name":{"name":"ruby2.1-rubygem-passenger as component of SUSE Linux Enterprise Module for Containers 12","product_id":"SUSE Linux Enterprise Module for Containers 12:ruby2.1-rubygem-passenger"},"product_reference":"ruby2.1-rubygem-passenger","relates_to_product_reference":"SUSE Linux Enterprise Module for Containers 12"},{"category":"default_component_of","full_product_name":{"name":"rubygem-passenger as component of SUSE Linux Enterprise Module for Containers 12","product_id":"SUSE Linux Enterprise Module for Containers 12:rubygem-passenger"},"product_reference":"rubygem-passenger","relates_to_product_reference":"SUSE Linux Enterprise Module for Containers 12"},{"category":"default_component_of","full_product_name":{"name":"rubygem-passenger-apache2 as component of SUSE Linux Enterprise Module for Containers 12","product_id":"SUSE Linux Enterprise Module for Containers 12:rubygem-passenger-apache2"},"product_reference":"rubygem-passenger-apache2","relates_to_product_reference":"SUSE Linux Enterprise Module for Containers 12"},{"category":"default_component_of","full_product_name":{"name":"rubygem-passenger as component of SUSE Studio Onsite 1.3","product_id":"SUSE Studio Onsite 1.3:rubygem-passenger"},"product_reference":"rubygem-passenger","relates_to_product_reference":"SUSE Studio Onsite 1.3"}]},"vulnerabilities":[{"cve":"CVE-2018-12615","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2018-12615"}],"notes":[{"category":"general","text":"An issue was discovered in switchGroup() in agent/ExecHelper/ExecHelperMain.cpp in Phusion Passenger before 5.3.2. The set of groups (gidset) is not set correctly, leaving it up to randomness (i.e., uninitialized memory) which supplementary groups are actually being set while lowering privileges.","title":"Vulnerability description"}],"product_status":{"known not affected":["SUSE Lifecycle Management Server 1.3:rubygem-passenger","SUSE Linux Enterprise Module for Containers 12:ruby2.1-rubygem-passenger","SUSE Linux Enterprise Module for Containers 12:rubygem-passenger","SUSE Linux Enterprise Module for Containers 12:rubygem-passenger-apache2","SUSE Studio Onsite 1.3:rubygem-passenger"]},"references":[{"category":"external","summary":"CVE-2018-12615","url":"https://www.suse.com/security/cve/CVE-2018-12615"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1098872 for CVE-2018-12615","url":"https://bugzilla.suse.com/1098872"}],"threats":[{"category":"impact","date":"2018-06-21T14:29:49Z","details":"moderate"}],"title":"CVE-2018-12615"}]}