Access Control Bypass in Facebook HipHop Virtual Machine
CVE-2014-2209

Currently unrated

Key Information:

Vendor: Facebook
Status: Hiphop Virtual Machine
Vendor: CVE Published:; 28 December 2014

What is CVE-2014-2209?

The Facebook HipHop Virtual Machine (HHVM) prior to version 3.1.0 contains an access control vulnerability that originates from not dropping supplemental group memberships. This oversight in the hphp/util/capability.cpp and hphp/util/light-process.cpp files permits remote attackers to exploit group permissions associated with a file or directory, allowing them to circumvent intended access restrictions and gain unauthorized access.

References

https://github.com/facebook/hhvm/commit/851fff90a9b7461df...

x_refsource_CONFIRM

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 28, 2014
Vulnerability Reserved
Feb 26, 2014