First published: Tue Mar 03 2020(Updated: )
Insufficient boundary checks when decoding JSON in handleBackslash reads out of bounds memory, potentially leading to DOS. This issue affects HHVM 4.45.0, 4.44.0, 4.43.0, 4.42.0, 4.41.0, 4.40.0, 4.39.0, versions between 4.33.0 and 4.38.0 (inclusive), versions between 4.9.0 and 4.32.0 (inclusive), and versions prior to 4.8.7.
Credit: cve-assign@fb.com
Affected Software | Affected Version | How to fix |
---|---|---|
Facebook HHVM | <4.8.7 | |
Facebook HHVM | >=4.9.0<=4.32.0 | |
Facebook HHVM | >=4.33.0<=4.38.0 | |
Facebook HHVM | =4.39.0 | |
Facebook HHVM | =4.40.0 | |
Facebook HHVM | =4.41.0 | |
Facebook HHVM | =4.42.0 | |
Facebook HHVM | =4.43.0 | |
Facebook HHVM | =4.44.0 | |
Facebook HHVM | =4.45.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this issue is CVE-2020-1888.
The severity of CVE-2020-1888 is high with a severity value of 7.5.
CVE-2020-1888 affects HHVM versions 4.45.0, 4.44.0, 4.43.0, 4.42.0, 4.41.0, 4.40.0, 4.39.0, and versions between 4.33.0 and 4.38.0 (inclusive), as well as versions between 4.9.0 and 4.32.0 (inclusive).
This vulnerability can be exploited by decoding JSON in handleBackslash, which reads out of bounds memory, potentially leading to denial of service (DOS).
To fix CVE-2020-1888, update HHVM to version 4.46.0 or higher, which includes the necessary security patches.