CVE-2019-11930

EPSS 2.5%
Published 04.12.2019 17:16:43
Last modified 21.11.2024 04:22:00
Source cve-assign@fb.com
Teams watchlist Login
Open Login

An invalid free in mb_detect_order can cause the application to crash or potentially result in remote code execution. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, and 4.28.1.

Affected products Warnungen 0 Metrics 3 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Facebook ≫ Hhvm Version < 3.30.12

Facebook ≫ Hhvm Version >= 4.0.0 <= 4.8.5

Facebook ≫ Hhvm Version >= 4.9.0 <= 4.23.1

Facebook ≫ Hhvm Version4.24.0

Facebook ≫ Hhvm Version4.25.0

Facebook ≫ Hhvm Version4.26.0

Facebook ≫ Hhvm Version4.27.0

Facebook ≫ Hhvm Version4.28.0

Facebook ≫ Hhvm Version4.28.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	2.5%	0.848

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-763 Release of Invalid Pointer or Reference

The product attempts to return a memory resource to the system, but it calls the wrong release function or calls the appropriate release function incorrectly.

https://github.com/facebook/hhvm/commit/524d2e60cfe910406ec6109e4286d7edd545ab36

Patch

https://hhvm.com/blog/2019/10/28/security-update.html

Vendor Advisory

https://www.facebook.com/security/advisories/cve-2019-11930

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-11930

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-11930

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-11930

EUVD