9.8

CVE-2019-11936

EPSS 0.64%
Veröffentlicht 04.12.2019 17:16:43
Zuletzt bearbeitet 21.11.2024 04:22:01
Quelle cve-assign@fb.com
Teams Watchlist Login
Unerledigt Login

Various APC functions accept keys containing null bytes as input, leading to premature truncation of input. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, and 4.28.1.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Facebook ≫ Hhvm Version < 3.30.12

Facebook ≫ Hhvm Version >= 4.0.0 <= 4.8.5

Facebook ≫ Hhvm Version >= 4.9.0 <= 4.23.1

Facebook ≫ Hhvm Version4.24.0

Facebook ≫ Hhvm Version4.25.0

Facebook ≫ Hhvm Version4.26.0

Facebook ≫ Hhvm Version4.27.0

Facebook ≫ Hhvm Version4.28.0

Facebook ≫ Hhvm Version4.28.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.64%	0.699

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-626 Null Byte Interaction Error (Poison Null Byte)

The product does not properly handle null bytes or NUL characters when passing data between different representations or components.

https://hhvm.com/blog/2019/10/28/security-update.html

Vendor Advisory

https://github.com/facebook/hhvm/commit/f57df6d8cf33cb14c40f52287da29360e7003373

Patch

Third Party Advisory

https://www.facebook.com/security/advisories/cve-2019-11936

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-11936

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-11936

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-11936

EUVD