CVE-2020-1898

EPSS 0.84%
Veröffentlicht 11.03.2021 01:15:14
Zuletzt bearbeitet 21.11.2024 05:11:34
Quelle cve-assign@fb.com
Teams Watchlist Login
Unerledigt Login

The fb_unserialize function did not impose a depth limit for nested deserialization. That meant a maliciously constructed string could cause deserialization to recurse, leading to stack exhaustion. This issue affected HHVM prior to v4.32.3, between versions 4.33.0 and 4.56.0, 4.57.0, 4.58.0, 4.58.1, 4.59.0, 4.60.0, 4.61.0, 4.62.0.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Facebook ≫ Hhvm Version < 4.32.3

Facebook ≫ Hhvm Version >= 4.33.0 < 4.56.1

Facebook ≫ Hhvm Version4.57.0

Facebook ≫ Hhvm Version4.58.0

Facebook ≫ Hhvm Version4.58.1

Facebook ≫ Hhvm Version4.59.0

Facebook ≫ Hhvm Version4.60.0

Facebook ≫ Hhvm Version4.61.0

Facebook ≫ Hhvm Version4.62.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.84%	0.739

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:N/A:P

CWE-674 Uncontrolled Recursion

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

https://github.com/facebook/hhvm/commit/1746dfb11fc0048366f34669e74318b8278a684c

Patch

Third Party Advisory

https://hhvm.com/blog/2020/06/30/security-update.html

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-1898

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-1898

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-1898

EUVD