Namespace Conflict Vulnerability in HHVM by Facebook
CVE-2016-1000109

5.3MEDIUM

Key Information:

Vendor

Facebook

Status
Hhvm
Vendor
CVE Published:
19 February 2020

What is CVE-2016-1000109?

The HHVM product by Facebook is susceptible to a namespace conflict vulnerability that does not comply with RFC 3875 section 4.1.18. This security flaw allows attackers to manipulate the HTTP_PROXY environment variable, potentially redirecting a CGI application's outbound HTTP traffic to untrusted proxy servers. By sending a specially crafted Proxy header in HTTP requests, malicious actors can exploit this vulnerability, highlighting a significant risk for applications relying on HHVM versions affected by these issues.

References

https://httpoxy.org/
x_refsource_MISC
https://github.com/facebook/hhvm/commit/423b4b719afd5ef4e...
x_refsource_CONFIRM
https://www.facebook.com/security/advisories/cve-2016-100...
x_refsource_CONFIRM

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.