What is the severity of CVE-2019-3556?

The severity of CVE-2019-3556 is high with a CVSS score of 8.1.

How does CVE-2019-3556 affect HHVM?

CVE-2019-3556 affects HHVM versions up to and including 4.56.2, as well as versions between 4.57.0 and 4.78.0.

What is the vulnerability in HHVM related to CVE-2019-3556?

The vulnerability in HHVM related to CVE-2019-3556 is the use of an "admin" server that accepts administrative requests over HTTP.

How can an attacker exploit CVE-2019-3556?

An attacker can exploit CVE-2019-3556 by sending a malicious request to the dump-pcre-cache request handler, which outputs cached regular expressions into a file.

Is there a fix available for CVE-2019-3556?

Yes, a fix is available for CVE-2019-3556. It is recommended to update to a version of HHVM that is not affected by the vulnerability.

Vulnerability/
CVE-2019-3556

high

8.1

CWE

26/10/2021

4/8/2024

CVE-2019-3556: Path Traversal

First published: Tue Oct 26 2021(Updated: )

HHVM supports the use of an "admin" server which accepts administrative requests over HTTP. One of those request handlers, dump-pcre-cache, can be used to output cached regular expressions from the current execution context into a file. The handler takes a parameter which specifies where on the filesystem to write this data. The parameter is not validated, allowing a malicious user to overwrite arbitrary files where the user running HHVM has write access. This issue affects HHVM versions prior to 4.56.2, all versions between 4.57.0 and 4.78.0, as well as 4.79.0, 4.80.0, 4.81.0, 4.82.0, and 4.83.0.

Credit: cve-assign@fb.com

Affected Software	Affected Version	How to fix
Facebook HipHop Virtual Machine	<4.56.2
Facebook HipHop Virtual Machine	>=4.57.0<=4.78.0
Facebook HipHop Virtual Machine	=4.79.0
Facebook HipHop Virtual Machine	=4.80.0
Facebook HipHop Virtual Machine	=4.81.0
Facebook HipHop Virtual Machine	=4.82.0
Facebook HipHop Virtual Machine	=4.83.0

Remedy

https://github.com/facebook/hhvm/commit/abe0b29e4d3a610f9bc920b8be4ad8403364c2d4

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2019-3556?
The severity of CVE-2019-3556 is high with a CVSS score of 8.1.
How does CVE-2019-3556 affect HHVM?
CVE-2019-3556 affects HHVM versions up to and including 4.56.2, as well as versions between 4.57.0 and 4.78.0.
What is the vulnerability in HHVM related to CVE-2019-3556?
The vulnerability in HHVM related to CVE-2019-3556 is the use of an "admin" server that accepts administrative requests over HTTP.
How can an attacker exploit CVE-2019-3556?
An attacker can exploit CVE-2019-3556 by sending a malicious request to the dump-pcre-cache request handler, which outputs cached regular expressions into a file.
Is there a fix available for CVE-2019-3556?
Yes, a fix is available for CVE-2019-3556. It is recommended to update to a version of HHVM that is not affected by the vulnerability.

agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/severity
agent/remedy
agent/references
agent/last-modified-date
agent/weakness
agent/author
agent/description
agent/first-publish-date
agent/event
agent/source
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
vendor/facebook
canonical/facebook hiphop virtual machine
version/facebook hiphop virtual machine/4.57.0
version/facebook hiphop virtual machine/4.78.0
version/facebook hiphop virtual machine/4.79.0
version/facebook hiphop virtual machine/4.80.0
version/facebook hiphop virtual machine/4.81.0
version/facebook hiphop virtual machine/4.82.0
version/facebook hiphop virtual machine/4.83.0