CVE-2022-36937

EPSS 0.36%
Published 10.05.2023 19:15:08
Last modified 27.01.2025 19:15:13
Source cve-assign@fb.com
Teams watchlist Login
Open Login

HHVM 4.172.0 and all prior versions use TLS 1.0 for secure connections when handling tls:// URLs in the stream extension. TLS1.0 has numerous published vulnerabilities and is deprecated. HHVM 4.153.4, 4.168.2, 4.169.2, 4.170.2, 4.171.1, 4.172.1, 4.173.0 replaces TLS1.0 with TLS1.3.

Applications that call stream_socket_server or stream_socket_client functions with a URL starting with tls:// are affected.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Facebook ≫ Hhvm Version < 4.153.4

Facebook ≫ Hhvm Version >= 4.154.0 < 4.168.2

Facebook ≫ Hhvm Version >= 4.169.0 < 4.169.2

Facebook ≫ Hhvm Version >= 4.170.0 < 4.170.2

Facebook ≫ Hhvm Version4.171.0

Facebook ≫ Hhvm Version4.172.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.36%	0.578

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-327 Use of a Broken or Risky Cryptographic Algorithm

The product uses a broken or risky cryptographic algorithm or protocol.

https://github.com/facebook/hhvm/commit/083f5ffdee661f61512909d16f9a5b98cff3cf0b

Patch

https://hhvm.com/blog/2023/01/20/security-update.html

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-36937

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-36937

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-36937

EUVD