PT-2021-10300 · Facebook · Hhvm
Jjergus
·
Published
2021-03-10
·
Updated
2021-03-17
·
CVE-2020-1916
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
HHVM versions prior to 4.56.2
HHVM versions 4.57.0 through 4.78.0
HHVM version 4.79.0
HHVM version 4.80.0
HHVM version 4.81.0
HHVM version 4.82.0
HHVM version 4.83.0
Description:
An incorrect size calculation in ldap escape may lead to an integer overflow when overly long input is passed in, resulting in an out-of-bounds write.
Recommendations:
For HHVM versions prior to 4.56.2, update to version 4.56.2 or later.
For HHVM versions 4.57.0 through 4.78.0, update to a version outside of this range.
For HHVM version 4.79.0, update to a newer version.
For HHVM version 4.80.0, update to a newer version.
For HHVM version 4.81.0, update to a newer version.
For HHVM version 4.82.0, update to a newer version.
For HHVM version 4.83.0, update to a newer version.
As a temporary workaround, consider restricting the input length to prevent overly long input from being passed to the ldap escape function.
Fix
Heap Based Buffer Overflow
Memory Corruption
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Hhvm