Vulnerability Description
HHVM supports the use of an "admin" server which accepts administrative requests over HTTP. One of those request handlers, dump-pcre-cache, can be used to output cached regular expressions from the current execution context into a file. The handler takes a parameter which specifies where on the filesystem to write this data. The parameter is not validated, allowing a malicious user to overwrite arbitrary files where the user running HHVM has write access. This issue affects HHVM versions prior to 4.56.2, all versions between 4.57.0 and 4.78.0, as well as 4.79.0, 4.80.0, 4.81.0, 4.82.0, and 4.83.0.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Hhvm | < 4.56.2 |
Related Weaknesses (CWE)
References
- https://github.com/facebook/hhvm/commit/abe0b29e4d3a610f9bc920b8be4ad8403364c2d4PatchThird Party Advisory
- https://hhvm.com/blog/2020/11/12/security-update.htmlVendor Advisory
- https://www.facebook.com/security/advisories/cve-2019-3556Broken Link
- https://github.com/facebook/hhvm/commit/abe0b29e4d3a610f9bc920b8be4ad8403364c2d4PatchThird Party Advisory
- https://hhvm.com/blog/2020/11/12/security-update.htmlVendor Advisory
- https://www.facebook.com/security/advisories/cve-2019-3556Broken Link
FAQ
What is CVE-2019-3556?
CVE-2019-3556 is a vulnerability with a CVSS score of 8.1 (HIGH). HHVM supports the use of an "admin" server which accepts administrative requests over HTTP. One of those request handlers, dump-pcre-cache, can be used to output cached regular expressions from the cu...
How severe is CVE-2019-3556?
CVE-2019-3556 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-3556?
Check the references section above for vendor advisories and patch information. Affected products include: Facebook Hhvm.