File Overwrite Vulnerability in HHVM by Facebook
CVE-2019-3556

8.1HIGH

Key Information:

Vendor

Facebook

Status
Hhvm
Vendor
CVE Published:
26 October 2021

What is CVE-2019-3556?

The HHVM platform has a significant vulnerability within its admin server that permits the execution of unauthorized administrative requests over HTTP. The 'dump-pcre-cache' request handler, which is designed to output cached regular expressions to a filesystem location, fails to validate its input parameter. This oversight enables an attacker to manipulate the target file path, potentially overwriting arbitrary files that the HHVM user can access. Users are strongly advised to upgrade to the secure versions to mitigate this risk.

Affected Version(s)

HHVM 4.83.0

HHVM 4.82.0

HHVM 4.81.0

References

https://hhvm.com/blog/2020/11/12/security-update.html
x_refsource_CONFIRM
https://github.com/facebook/hhvm/commit/abe0b29e4d3a610f9...
x_refsource_CONFIRM
https://www.facebook.com/security/advisories/cve-2019-3556
x_refsource_CONFIRM

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.