CVE-2017-9772

Insufficient sanitisation in the OCaml compiler versions 4.04.0 and 4.04.1 allows external code to be executed with raised privilege in binaries marked as setuid, by setting the CAML_CPLUGINS, CAML_NATIVE_CPLUGINS, or CAML_BYTE_CPLUGINS environment variable.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 90%
VendorProductVersion
ocamlocaml
4.04.0
ocamlocaml
4.04.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ocaml
bullseye
4.11.1-4
fixed
bookworm
4.13.1-4
fixed
sid
5.2.0-3
fixed
trixie
5.2.0-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ocaml
disco
not-affected
cosmic
not-affected
bionic
not-affected
artful
ignored
zesty
not-affected
yakkety
ignored
xenial
not-affected
trusty
not-affected
References
http://www.securityfocus.com/bid/99277
https://caml.inria.fr/mantis/view.php?id=7557
https://security.gentoo.org/glsa/201710-07
https://sympa.inria.fr/sympa/arc/caml-list/2017-06/msg00094.html
http://www.securityfocus.com/bid/99277
https://caml.inria.fr/mantis/view.php?id=7557
https://security.gentoo.org/glsa/201710-07
https://sympa.inria.fr/sympa/arc/caml-list/2017-06/msg00094.html