9.8

CVE-2019-11936

EPSS 0.64%
Published 04.12.2019 17:16:43
Last modified 21.11.2024 04:22:01
Source cve-assign@fb.com
Teams watchlist Login
Open Login

Various APC functions accept keys containing null bytes as input, leading to premature truncation of input. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, and 4.28.1.

Affected products Warnungen 0 Metrics 3 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Facebook ≫ Hhvm Version < 3.30.12

Facebook ≫ Hhvm Version >= 4.0.0 <= 4.8.5

Facebook ≫ Hhvm Version >= 4.9.0 <= 4.23.1

Facebook ≫ Hhvm Version4.24.0

Facebook ≫ Hhvm Version4.25.0

Facebook ≫ Hhvm Version4.26.0

Facebook ≫ Hhvm Version4.27.0

Facebook ≫ Hhvm Version4.28.0

Facebook ≫ Hhvm Version4.28.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.64%	0.699

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-626 Null Byte Interaction Error (Poison Null Byte)

The product does not properly handle null bytes or NUL characters when passing data between different representations or components.

https://hhvm.com/blog/2019/10/28/security-update.html

Vendor Advisory

https://github.com/facebook/hhvm/commit/f57df6d8cf33cb14c40f52287da29360e7003373

Patch

Third Party Advisory

https://www.facebook.com/security/advisories/cve-2019-11936

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-11936

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-11936

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-11936

EUVD