Input validation error in Chicken Scheme

#VU41275 Input validation error in Chicken Scheme

Published: 2014-09-30 | Updated: 2020-08-10

Vulnerability identifier: #VU41275

Vulnerability risk: Medium

CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2013-1874

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Chicken Scheme
Universal components / Libraries / Software for developers

Vendor: call-cc.org

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Untrusted search path vulnerability in csi in Chicken before 4.8.2 allows local users to execute arbitrary code via a Trojan horse .csirc in the current working directory. <a href = http://cwe.mitre.org/data/definitions/426.html> CWE-426: Untrusted Search Path </a>

Mitigation
Install update from vendor's website.

Vulnerable software versions

Chicken Scheme: 4.8.0 - 4.8.0.7

External links
http://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=blob;f=NEWS;h=c21c7cf9d1faf4f78736890ac7ca1d4b82d72ddd;hb=c6750af99ada7fa4815ee834e4e705bcfac9c137
http://seclists.org/oss-sec/2013/q1/692
http://www.osvdb.org/91520
http://www.securityfocus.com/bid/58583
http://exchange.xforce.ibmcloud.com/vulnerabilities/85065

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in call-cc Chicken Scheme