Vulnerability Description
mcrypt_get_block_size did not enforce that the provided "module" parameter was a string, leading to type confusion if other types of data were passed in. This issue affects HHVM versions prior to 3.9.5, all versions between 3.10.0 and 3.12.3 (inclusive), and all versions between 3.13.0 and 3.14.1 (inclusive).
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Hhvm | < 3.9.5 |
Related Weaknesses (CWE)
References
- https://github.com/facebook/hhvm/commit/39e7e177473350b3a5c34e8824af3b98e25efa89PatchThird Party Advisory
- https://www.facebook.com/security/advisories/cve-2016-1000005Third Party Advisory
- https://github.com/facebook/hhvm/commit/39e7e177473350b3a5c34e8824af3b98e25efa89PatchThird Party Advisory
- https://www.facebook.com/security/advisories/cve-2016-1000005Third Party Advisory
FAQ
What is CVE-2016-1000005?
CVE-2016-1000005 is a vulnerability with a CVSS score of 9.8 (CRITICAL). mcrypt_get_block_size did not enforce that the provided "module" parameter was a string, leading to type confusion if other types of data were passed in. This issue affects HHVM versions prior to 3.9....
How severe is CVE-2016-1000005?
CVE-2016-1000005 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2016-1000005?
Check the references section above for vendor advisories and patch information. Affected products include: Facebook Hhvm.