CVE-2019-11936

critical

Description

Various APC functions accept keys containing null bytes as input, leading to premature truncation of input. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, and 4.28.1.

References

https://www.facebook.com/security/advisories/cve-2019-11936

https://hhvm.com/blog/2019/10/28/security-update.html

https://github.com/facebook/hhvm/commit/f57df6d8cf33cb14c40f52287da29360e7003373

Details

Source: Mitre, NVD

Published: 2019-12-04

Updated: 2021-09-14

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.00725