CVE-2019-11935

EPSS 0.64%
Published 04.12.2019 17:16:43
Last modified 21.11.2024 04:22:00
Source cve-assign@fb.com
Teams watchlist Login
Open Login

Insufficient boundary checks when processing a string in mb_ereg_replace allows access to out-of-bounds memory. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, and 4.28.1.

Affected products Warnungen 0 Metrics 3 CWE 2 References 6

Data is provided by the National Vulnerability Database (NVD)

Facebook ≫ Hhvm Version < 3.30.12

Facebook ≫ Hhvm Version >= 4.0.0 <= 4.8.5

Facebook ≫ Hhvm Version >= 4.9.0 <= 4.23.1

Facebook ≫ Hhvm Version4.24.0

Facebook ≫ Hhvm Version4.25.0

Facebook ≫ Hhvm Version4.26.0

Facebook ≫ Hhvm Version4.27.0

Facebook ≫ Hhvm Version4.28.0

Facebook ≫ Hhvm Version4.28.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.64%	0.699

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

https://hhvm.com/blog/2019/10/28/security-update.html

Vendor Advisory

https://github.com/facebook/hhvm/commit/1c518555dba6ceb45d5ba61845b96e261219c3b7

Patch

Third Party Advisory

https://www.facebook.com/security/advisories/cve-2019-11935

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-11935

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-11935

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-11935

EUVD