CVE-2019-11930

EPSS 2.5%
Veröffentlicht 04.12.2019 17:16:43
Zuletzt bearbeitet 21.11.2024 04:22:00
Quelle cve-assign@fb.com
Teams Watchlist Login
Unerledigt Login

An invalid free in mb_detect_order can cause the application to crash or potentially result in remote code execution. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, and 4.28.1.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Facebook ≫ Hhvm Version < 3.30.12

Facebook ≫ Hhvm Version >= 4.0.0 <= 4.8.5

Facebook ≫ Hhvm Version >= 4.9.0 <= 4.23.1

Facebook ≫ Hhvm Version4.24.0

Facebook ≫ Hhvm Version4.25.0

Facebook ≫ Hhvm Version4.26.0

Facebook ≫ Hhvm Version4.27.0

Facebook ≫ Hhvm Version4.28.0

Facebook ≫ Hhvm Version4.28.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	2.5%	0.848

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-763 Release of Invalid Pointer or Reference

The product attempts to return a memory resource to the system, but it calls the wrong release function or calls the appropriate release function incorrectly.

https://github.com/facebook/hhvm/commit/524d2e60cfe910406ec6109e4286d7edd545ab36

Patch

https://hhvm.com/blog/2019/10/28/security-update.html

Vendor Advisory

https://www.facebook.com/security/advisories/cve-2019-11930

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-11930

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-11930

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-11930

EUVD