Insufficient Boundary Checks in HHVM Leads to Potential Remote Code Execution
CVE-2019-11929

9.8CRITICAL

Key Information:

Vendor

Facebook

Status
Hhvm
Vendor
CVE Published:
2 October 2019

What is CVE-2019-11929?

The vulnerability in HHVM arises from insufficient boundary checks during number formatting processes in the number_format function. This flaw allows potential attackers to read and write to out-of-bounds memory locations, which could lead to remote code execution. The issue is serious as it affects a range of versions, potentially exposing numerous deployments to exploitations if not updated promptly. Users are advised to upgrade their HHVM installations to the latest versions to mitigate this security risk.

Affected Version(s)

HHVM 4.24.0

HHVM 4.23.2

HHVM 4.23.0

References

https://github.com/facebook/hhvm/commit/dbeb9a56a638e3fdc...
x_refsource_CONFIRM
https://hhvm.com/blog/2019/09/25/security-update.html
x_refsource_CONFIRM
https://www.facebook.com/security/advisories/cve-2019-11929
x_refsource_CONFIRM

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.