CVE-2016-1000005

EPSS 0.53%
Published 19.02.2020 13:15:10
Last modified 21.11.2024 02:42:50
Source cve@mitre.org
Teams watchlist Login
Open Login

mcrypt_get_block_size did not enforce that the provided "module" parameter was a string, leading to type confusion if other types of data were passed in. This issue affects HHVM versions prior to 3.9.5, all versions between 3.10.0 and 3.12.3 (inclusive), and all versions between 3.13.0 and 3.14.1 (inclusive).

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Facebook ≫ Hhvm Version < 3.9.5

Facebook ≫ Hhvm Version >= 3.10.0 <= 3.12.3

Facebook ≫ Hhvm Version >= 3.13.0 <= 3.14.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.53%	0.666

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')

The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

https://github.com/facebook/hhvm/commit/39e7e177473350b3a5c34e8824af3b98e25efa89

Patch

Third Party Advisory

https://www.facebook.com/security/advisories/cve-2016-1000005

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2016-1000005

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2016-1000005

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2016-1000005

EUVD