CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2022-36937
https://notcve.org/view.php?id=CVE-2022-36937
HHVM 4.172.0 and all prior versions use TLS 1.0 for secure connections when handling tls:// URLs in the stream extension. TLS1.0 has numerous published vulnerabilities and is deprecated. HHVM 4.153.4, 4.168.2, 4.169.2, 4.170.2, 4.171.1, 4.172.1, 4.173.0 replaces TLS1.0 with TLS1.3. Applications that call stream_socket_server or stream_socket_client functions with a URL starting with tls:// are affected. • https://github.com/facebook/hhvm/commit/083f5ffdee661f61512909d16f9a5b98cff3cf0b https://hhvm.com/blog/2023/01/20/security-update.html •
CVSS: 8.1EPSS: 0%CPEs: 7EXPL: 0CVE-2019-3556
https://notcve.org/view.php?id=CVE-2019-3556
HHVM supports the use of an "admin" server which accepts administrative requests over HTTP. One of those request handlers, dump-pcre-cache, can be used to output cached regular expressions from the current execution context into a file. The handler takes a parameter which specifies where on the filesystem to write this data. The parameter is not validated, allowing a malicious user to overwrite arbitrary files where the user running HHVM has write access. This issue affects HHVM versions prior to 4.56.2, all versions between 4.57.0 and 4.78.0, as well as 4.79.0, 4.80.0, 4.81.0, 4.82.0, and 4.83.0. • https://github.com/facebook/hhvm/commit/abe0b29e4d3a610f9bc920b8be4ad8403364c2d4 https://hhvm.com/blog/2020/11/12/security-update.html https://www.facebook.com/security/advisories/cve-2019-3556 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 1%CPEs: 10EXPL: 0CVE-2021-24036
https://notcve.org/view.php?id=CVE-2021-24036
Passing an attacker controlled size when creating an IOBuf could cause integer overflow, leading to an out of bounds write on the heap with the possibility of remote code execution. This issue affects versions of folly prior to v2021.07.22.00. This issue affects HHVM versions prior to 4.80.5, all versions between 4.81.0 and 4.102.1, all versions between 4.103.0 and 4.113.0, and versions 4.114.0, 4.115.0, 4.116.0, 4.117.0, 4.118.0 and 4.118.1. Pasar un tamaño controlado por un atacante al crear un IOBuf podría causar un desbordamiento de enteros, lo que llevaría a una escritura fuera de límites en la pila con la posibilidad de ejecución de código remoto. Este problema afecta a las versiones de folly anteriores a la v2021.07.22.00. • https://github.com/facebook/folly/commit/4f304af1411e68851bdd00ef6140e9de4616f7d3 https://hhvm.com/blog/2021/07/20/security-update.html https://www.facebook.com/security/advisories/cve-2021-24036 • CWE-122: Heap-based Buffer Overflow CWE-190: Integer Overflow or Wraparound •
CVSS: 9.8EPSS: 0%CPEs: 9EXPL: 0CVE-2020-1900
https://notcve.org/view.php?id=CVE-2020-1900
When unserializing an object with dynamic properties HHVM needs to pre-reserve the full size of the dynamic property array before inserting anything into it. Otherwise the array might resize, invalidating previously stored references. This pre-reservation was not occurring in HHVM prior to v4.32.3, between versions 4.33.0 and 4.56.0, 4.57.0, 4.58.0, 4.58.1, 4.59.0, 4.60.0, 4.61.0, 4.62.0. Cuando se anula la serialización de un objeto con propiedades dinámicas, HHVM necesita reservar previamente el tamaño completo de la matriz de propiedades dinámicas antes de insertar algo en ella. De lo contrario, la matriz podría cambiar de tamaño, invalidando las referencias almacenadas previamente. • https://github.com/facebook/hhvm/commit/c1c4bb0cf9e076aafaf4ff3515556ef9faf906f3 https://hhvm.com/blog/2020/06/30/security-update.html • CWE-416: Use After Free •
CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0CVE-2020-1899
https://notcve.org/view.php?id=CVE-2020-1899
The unserialize() function supported a type code, "S", which was meant to be supported only for APC serialization. This type code allowed arbitrary memory addresses to be accessed as if they were static StringData objects. This issue affected HHVM prior to v4.32.3, between versions 4.33.0 and 4.56.0, 4.57.0, 4.58.0, 4.58.1, 4.59.0, 4.60.0, 4.61.0, 4.62.0. La función unserialize() admitía un código de tipo, "S", que estaba destinado a ser admitido solo para la serialización APC. Este código de tipo permitía acceder a direcciones de memoria arbitrarias como si fueran objetos StringData estáticos. • https://github.com/facebook/hhvm/commit/1107228a5128d3ca1c4add8ac1635d933cbbe2e9 https://hhvm.com/blog/2020/06/30/security-update.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-822: Untrusted Pointer Dereference •