Vulnerability Details : CVE-2015-8869
OCaml before 4.03.0 does not properly handle sign extensions, which allows remote attackers to conduct buffer overflow attacks or obtain sensitive information as demonstrated by a long string to the String.copy function.
Vulnerability category: OverflowInformation leak
Products affected by CVE-2015-8869
- cpe:2.3:o:fedoraproject:fedora:24:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*
- cpe:2.3:a:ocaml:ocaml:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-8869
2.21%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 88 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-8869
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.4
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:P |
10.0
|
4.9
|
NIST | |
9.1
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
3.9
|
5.2
|
NIST |
CWE ids for CVE-2015-8869
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-8869
-
http://rhn.redhat.com/errata/RHSA-2017-0564.html
RHSA-2017:0564 - Security Advisory - Red Hat Customer Portal
-
http://www.openwall.com/lists/oss-security/2016/04/29/6
oss-security - Re: buffer overflow and information leak in OCaml < 4.03.0
-
http://www.openwall.com/lists/oss-security/2016/04/29/1
oss-security - buffer overflow and information leak in OCaml < 4.03.0
-
http://lists.opensuse.org/opensuse-updates/2016-09/msg00037.html
openSUSE-SU-2016:2273-1: moderate: Security update for ocaml
-
https://github.com/ocaml/ocaml/commit/659615c7b100a89eafe6253e7a5b9d84d0e8df74#diff-a97df53e3ebc59bb457191b496c90762
fix PR#7003 and a few other bugs caused by misuse of Int_val · ocaml/ocaml@659615c · GitHub
-
https://security.gentoo.org/glsa/201702-15
OCaml: Buffer overflow and information disclosure (GLSA 201702-15) — Gentoo security
-
http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184507.html
[SECURITY] Fedora 24 Update: ocaml-4.02.3-3.fc24
-
https://access.redhat.com/errata/RHSA-2016:1296
RHSA-2016:1296 - Security Advisory - Red Hat Customer Portal
-
http://lists.opensuse.org/opensuse-updates/2016-05/msg00081.html
openSUSE-SU-2016:1335-1: moderate: Security update for ocaml
-
http://www.securityfocus.com/bid/89318
OCaml CVE-2015-8869 Multiple Security Vulnerabilities
-
http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
Oracle Linux Bulletin - July 2016
-
http://rhn.redhat.com/errata/RHSA-2017-0565.html
RHSA-2017:0565 - Security Advisory - Red Hat Customer Portal
-
http://rhn.redhat.com/errata/RHSA-2016-2576.html
RHSA-2016:2576 - Security Advisory - Red Hat Customer Portal
Jump to