OSEC-2017-01

See a problem?

Import Source

https://github.com/ocaml/security-advisories/blob/generated-osv/2017/OSEC-2017-01.json

JSON Data

https://api.test.osv.dev/v1/vulns/OSEC-2017-01

Aliases

CVE-2017-9772

Published

2017-06-23T15:19:47Z

Modified

2026-02-06T12:11:27.949959Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Local privilege escalation issue with ocaml binaries

Details

Description

Insufficient sanitisation in the OCaml compiler versions 4.04.0 and 4.04.1 allows external code to be executed with raised privilege in binaries marked as setuid, by setting the CAMLCPLUGINS, CAMLNATIVECPLUGINS, or CAMLBYTE_CPLUGINS environment variable.

Database specific

{
    "cwe": [
        "CWE-269"
    ],
    "osv": "https://github.com/ocaml/security-advisories/tree/generated-osv/2017/OSEC-2017-01.json",
    "human_link": "https://github.com/ocaml/security-advisories/tree/main/advisories/2017/OSEC-2017-01.md"
}

References

https://github.com/ocaml/ocaml/issues/7557

Credits

- Eric Milliken - REPORTER
- Damien Doligez - REMEDIATION_DEVELOPER
- Xavier Leroy - REMEDIATION_REVIEWER

Affected packages

opam / ocaml

Package

Name: ocaml
Purl: pkg:opam/ocaml

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.04

Fixed

4.04.2

Type: GIT
Repo: https://github.com/ocaml/ocaml
Events: Fixed

850021c200c7507f2a928a66fa1291ff4ae3a622

Introduced

507507829e9639374ede5a2dade1bb6d6b98ad49

Affected versions

4.*

4.04.0

4.04.1

Ecosystem specific

{
    "opam_constraint": "ocaml {>= \"4.04\" & < \"4.04.2\"}"
}

Database specific

source

"https://github.com/ocaml/security-advisories/blob/generated-osv/2017/OSEC-2017-01.json"