Arbitrary file read vulnerability
A short time ago, the cPanel Security Team discovered a vulnerability in Passenger that allows users to list the contents of arbitrary files on the system, if Passenger is running as root (this is usually the case when it is used in the Nginx or Apache integration mode, and not affected by the
user_switching option). Users must also have write access to an application (hosted by Passenger) running on the system in order to exploit the vulnerability.
This has been fixed in Passenger version 5.1.11, which we will be releasing today (16 Oct 2017) at 17:00 Central European Time / 11:00 Eastern Standard Time.
We urgently advise upgrading as soon as the release is available.
We are also in the process of requesting a CVE, which will also disclose details about the vulnerability.