|Number of vulnerabilities||1|
|CVE ID|| CVE-2017-17562
|CWE ID|| CWE-20
|Public exploit||Public exploit code for vulnerability #1 is available.|
|Vulnerable software versions||
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to an error in the cgiHandler function when CGI is enabled and a CGI program is dynamically linked. A remote attacker can make untrusted HTTP request parameters containing shared object payload in the cgiHandler function in cgi.c, allocate an array of pointers for the envp argument of the new process, initialize the environment of forked CGI scripts and execute arbitrary code.
Successful exploitation of the vulnerability may result in system compromise.
Update to version 3.6.5.