Main Vulnerability Database Vulnerabilities #VU38820

Input validation error in OCaml - CVE-2017-9772

Published: June 23, 2017 / Updated: August 8, 2020

Vulnerability identifier: #VU38820

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2017-9772

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OCaml

Affected software:
OCaml

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Insufficient sanitisation in the OCaml compiler versions 4.04.0 and 4.04.1 allows external code to be executed with raised privilege in binaries marked as setuid, by setting the CAML_CPLUGINS, CAML_NATIVE_CPLUGINS, or CAML_BYTE_CPLUGINS environment variable.

How to mitigate CVE-2017-9772

Install update from vendor's website.

Sources

http://www.securityfocus.com/bid/99277
https://caml.inria.fr/mantis/view.php?id=7557
https://security.gentoo.org/glsa/201710-07
https://sympa.inria.fr/sympa/arc/caml-list/2017-06/msg00094.html

Input validation error in OCaml - CVE-2017-9772

Detailed vulnerability description

How to mitigate CVE-2017-9772

Sources

Please verify you're human