9.8

CVE-2019-11936

Various APC functions accept keys containing null bytes as input, leading to premature truncation of input. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, and 4.28.1.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
FacebookHhvm Version < 3.30.12
FacebookHhvm Version >= 4.0.0 <= 4.8.5
FacebookHhvm Version >= 4.9.0 <= 4.23.1
FacebookHhvm Version4.24.0
FacebookHhvm Version4.25.0
FacebookHhvm Version4.26.0
FacebookHhvm Version4.27.0
FacebookHhvm Version4.28.0
FacebookHhvm Version4.28.1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.48% 0.705
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE-626 Null Byte Interaction Error (Poison Null Byte)

The product does not properly handle null bytes or NUL characters when passing data between different representations or components.

https://hhvm.com/blog/2019/10/28/security-update.html
Vendor Advisory
https://github.com/facebook/hhvm/commit/f57df6d8cf33cb14c40f52287da29360e7003373
Patch
Third Party Advisory
https://www.facebook.com/security/advisories/cve-2019-11936
Vendor Advisory