File Overwrite Vulnerability in HHVM by Facebook
CVE-2019-3556
8.1HIGH
What is CVE-2019-3556?
The HHVM platform has a significant vulnerability within its admin server that permits the execution of unauthorized administrative requests over HTTP. The 'dump-pcre-cache' request handler, which is designed to output cached regular expressions to a filesystem location, fails to validate its input parameter. This oversight enables an attacker to manipulate the target file path, potentially overwriting arbitrary files that the HHVM user can access. Users are strongly advised to upgrade to the secure versions to mitigate this risk.
Affected Version(s)
HHVM 4.83.0
HHVM 4.82.0
HHVM 4.81.0