Total
40 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-11936 | 1 Facebook | 1 Hhvm | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| Various APC functions accept keys containing null bytes as input, leading to premature truncation of input. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, and 4.28.1. | |||||
| CVE-2020-1888 | 1 Facebook | 1 Hhvm | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| Insufficient boundary checks when decoding JSON in handleBackslash reads out of bounds memory, potentially leading to DOS. This issue affects HHVM 4.45.0, 4.44.0, 4.43.0, 4.42.0, 4.41.0, 4.40.0, 4.39.0, versions between 4.33.0 and 4.38.0 (inclusive), versions between 4.9.0 and 4.32.0 (inclusive), and versions prior to 4.8.7. | |||||
| CVE-2020-1893 | 1 Facebook | 1 Hhvm | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| Insufficient boundary checks when decoding JSON in TryParse reads out of bounds memory, potentially leading to DOS. This issue affects HHVM 4.45.0, 4.44.0, 4.43.0, 4.42.0, 4.41.0, 4.40.0, 4.39.0, versions between 4.33.0 and 4.38.0 (inclusive), versions between 4.9.0 and 4.32.0 (inclusive), and versions prior to 4.8.7. | |||||
| CVE-2019-3561 | 1 Facebook | 1 Hhvm | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| Insufficient boundary checks for the strrpos and strripos functions allow access to out-of-bounds memory. This affects all supported versions of HHVM (4.0.3, 3.30.4, and 3.27.7 and below). | |||||
| CVE-2019-11925 | 1 Facebook | 1 Hhvm | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| Insufficient boundary checks when processing the JPEG APP12 block marker in the GD extension could allow access to out-of-bounds memory via a maliciously constructed invalid JPEG input. This issue affects HHVM versions prior to 3.30.9, all versions between 4.0.0 and 4.8.3, all versions between 4.9.0 and 4.15.2, and versions 4.16.0 to 4.16.3, 4.17.0 to 4.17.2, 4.18.0 to 4.18.1, 4.19.0, 4.20.0 to 4.20.1. | |||||
| CVE-2019-11926 | 1 Facebook | 1 Hhvm | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| Insufficient boundary checks when processing M_SOFx markers from JPEG headers in the GD extension could allow access to out-of-bounds memory via a maliciously constructed invalid JPEG input. This issue affects HHVM versions prior to 3.30.9, all versions between 4.0.0 and 4.8.3, all versions between 4.9.0 and 4.15.2, and versions 4.16.0 to 4.16.3, 4.17.0 to 4.17.2, 4.18.0 to 4.18.1, 4.19.0, 4.20.0 to 4.20.1. | |||||
| CVE-2019-3569 | 1 Facebook | 1 Hhvm | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| HHVM, when used with FastCGI, would bind by default to all available interfaces. This behavior could allow a malicious individual unintended direct access to the application, which could result in information disclosure. This issue affects versions 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, versions 3.30.5 and below, and all versions in the 4.0, 4.1, and 4.2 series. | |||||
| CVE-2018-6332 | 1 Facebook | 1 Hhvm | 2023-12-10 | 4.3 MEDIUM | 5.9 MEDIUM |
| A potential denial-of-service issue in the Proxygen handling of invalid HTTP2 settings which can cause the server to spend disproportionate resources. This affects all supported versions of HHVM (3.24.3 and 3.21.7 and below) when using the proxygen server to handle HTTP2 requests. | |||||
| CVE-2018-6337 | 1 Facebook | 2 Folly, Hhvm | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| folly::secureRandom will re-use a buffer between parent and child processes when fork() is called. That will result in multiple forked children producing repeat (or similar) results. This affects HHVM 3.26 prior to 3.26.3 and the folly library between v2017.12.11.00 and v2018.08.09.00. | |||||
| CVE-2018-6334 | 1 Facebook | 1 Hhvm | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| Multipart-file uploads call variables to be improperly registered in the global scope. In cases where variables are not declared explicitly before being used this can lead to unexpected behavior. This affects all supported versions of HHVM prior to the patch (3.25.1, 3.24.5, and 3.21.9 and below). | |||||
| CVE-2018-6345 | 1 Facebook | 1 Hhvm | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| The function number_format is vulnerable to a heap overflow issue when its second argument ($dec_points) is excessively large. The internal implementation of the function will cause a string to be created with an invalid length, which can then interact poorly with other functions. This affects all supported versions of HHVM (3.30.1 and 3.27.5 and below). | |||||
| CVE-2018-6335 | 1 Facebook | 1 Hhvm | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| A Malformed h2 frame can cause 'std::out_of_range' exception when parsing priority meta data. This behavior can lead to denial-of-service. This affects all supported versions of HHVM (3.25.2, 3.24.6, and 3.21.10 and below) when using the proxygen server to handle HTTP2 requests. | |||||
| CVE-2019-3557 | 1 Facebook | 1 Hhvm | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| The implementations of streams for bz2 and php://output improperly implemented their readImpl functions, returning -1 consistently. This behavior caused some stream functions, such as stream_get_line, to trigger an out-of-bounds read when operating on such malformed streams. The implementations were updated to return valid values consistently. This affects all supported versions of HHVM (3.30 and 3.27.4 and below). | |||||
| CVE-2018-6340 | 1 Facebook | 1 Hhvm | 2023-12-10 | 6.8 MEDIUM | 8.1 HIGH |
| The Memcache::getextendedstats function can be used to trigger an out-of-bounds read. Exploiting this issue requires control over memcached server hostnames and/or ports. This affects all supported versions of HHVM (3.30 and 3.27.4 and below). | |||||
| CVE-2016-6870 | 1 Facebook | 1 Hhvm | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| Out-of-bounds write in the (1) mb_detect_encoding, (2) mb_send_mail, and (3) mb_detect_order functions in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors. | |||||
| CVE-2016-6875 | 1 Facebook | 1 Hhvm | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| Infinite recursion in wddx in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors. | |||||
| CVE-2016-6873 | 1 Facebook | 1 Hhvm | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| Self recursion in compact in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors. | |||||
| CVE-2016-6872 | 1 Facebook | 1 Hhvm | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| Integer overflow in StringUtil::implode in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors. | |||||
| CVE-2016-6874 | 1 Facebook | 1 Hhvm | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| The array_*_recursive functions in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors, related to recursion. | |||||
| CVE-2016-6871 | 1 Facebook | 1 Hhvm | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| Integer overflow in bcmath in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors, which triggers a buffer overflow. | |||||